9-26
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
802.1x User Distribution
You can configure 802.1x user distribution to load-balance users with the same group name across
multiple different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a
VLAN group name.
•
Configure the RADIUS server to send more than one VLAN name for a user. The multiple VLAN
names can be sent as part of the response to the user. The 802.1x user distribution tracks all the users
in a particular VLAN and achieves load balancing by moving the authorized user to the least
populated VLAN.
•
Configure the RADIUS server to send a VLAN group name for a user. The VLAN group name can
be sent as part of the response to the user. You can search for the selected VLAN group name among
the VLAN group names that you configured by using the switch CLI. If the VLAN group name is
found, the corresponding VLANs under this VLAN group name are searched to find the least
populated VLAN. Load balancing is achieved by moving the corresponding authorized user to that
VLAN.
Note
The RADIUS server can send the VLAN information in any combination of VLAN-IDs, VLAN
names, or VLAN groups.
802.1x User Distribution Configuration Guidelines
•
Confirm that at least one VLAN is mapped to the VLAN group.
•
You can map more than one VLAN to a VLAN group.
•
You can modify the VLAN group by adding or deleting a VLAN.
•
When you clear an existing VLAN from the VLAN group name, none of the authenticated ports in
the VLAN are cleared, but the mappings are removed from the existing VLAN group.
•
If you clear the last VLAN from the VLAN group name, the VLAN group is cleared.
•
You can clear a VLAN group even when the active VLANs are mapped to the group. When you clear
a VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the
group are cleared, but the VLAN mappings to the VLAN group are cleared.
For more information, see the
“Configuring 802.1x User Distribution” section on page 9-55
802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see
) by using the MAC authentication bypass feature. For example, you can enable this feature on
IEEE 802.1x ports connected to devices such as printers.
If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries
to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an 802.1x port, the switch uses the MAC
address as the client identity. The authentication server has a database of client MAC addresses that are
allowed network access. After detecting a client on an 802.1x port, the switch waits for an Ethernet
packet from the client. The switch sends the authentication server a RADIUS-access/request frame with