9-22
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
receive a
link dow
n or
EAP logoff
event. We recommend that you keep re-authentication enabled if a
client might connect through a hub. When a client disconnects from the hub, the port might not receive
the
link down
or
EAP logoff
event.
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This
prevents clients from indefinitely attempting authentication. Some clients (for example, devices running
Windows XP) cannot implement DHCP without EAP success.
Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice
VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs
(routed ports) or trunk ports; it is supported only on access ports.
This feature works with port security. As soon as the port is authorized, a MAC address is provided to
port security. If port security does not permit the MAC address or if the maximum secure address count
is reached, the port becomes unauthorized and error disabled.
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can
be configured independently on a restricted VLAN.
For more information, see the
“Configuring a Restricted VLAN” section on page 9-50
.
802.1x Authentication with Inaccessible Authentication Bypass
Overview
Use the inaccessible authentication bypass feature, also referred to as
critical authentication
or the
AAA
fail policy,
when the switch cannot reach the configured RADIUS servers and new hosts cannot be
authenticated. You can configure the switch to connect those hosts to
critical ports
.
When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN,
the
critical VLAN
. The administrator gives limited authentication to the hosts.
When the switch tries to authenticate a host connected to a critical port, the switch checks the status of
the configured RADIUS server. If a server is available, the switch can authenticate the host. However, if
all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port
in the
critical-authentication
state, which is a special case of the authentication state.
Support on Multiple-Authentication Ports
To support inaccessible bypass on multiple-authentication (multiauth) ports, you can use the
a
uthentication event server dead action reinitialize vlan
vlan-id
. When a new host tries to connect to
the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified
access VLAN.
The
authentication event server dead action reinitialize vlan
vlan-id
interface configuration
command is supported on all host modes.