9-3
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
Switch
(edge switch or wireless access point)—controls the physical access to the network based on
the authentication status of the client. The switch acts as an intermediary (proxy) between the client
and the authentication server, requesting identity information from the client, verifying that
information with the authentication server, and relaying a response to the client. The switch includes
the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and
interacting with the authentication server. (The switch is the
authenticator
in the IEEE 802.1x
standard.)
When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet
header is stripped, and the remaining EAP frame is re-encapsulated in the RADIUS format. The
EAP frames are not modified during encapsulation, and the authentication server must support EAP
within the native frame format. When the switch receives frames from the authentication server, the
server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet
and sent to the client.
The devices that can act as intermediaries include the Catalyst 3750-E, Catalyst 3560-E,
Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst
2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software
that supports the RADIUS client and IEEE 802.1x authentication.
Authentication Process
When IEEE 802.1x port-based authentication is enabled and the client supports IEEE 802.1x-compliant
client software, these events occur:
•
If the client identity is valid and the IEEE 802.1x authentication succeeds, the switch grants the
client access to the network.
•
If IEEE 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can use the client MAC address for authorization. If the
client MAC address is valid and the authorization succeeds, the switch grants the client access to the
network. If the client MAC address is invalid and the authorization fails, the switch assigns the client
to a guest VLAN that provides limited services if a guest VLAN is configured.
shows the authentication process.
Note
Inaccessible authentication bypass, referenced at the bottom of the flow chart, is not supported on the
switch.