7-5
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter 7 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Authentication
In a point-to-point configuration (see
Figure 7-1 on page 7-2
), only one client can be connected to the
802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
If a client leaves or is replaced with another client, the switch changes the port link state to down, and
the port returns to the unauthorized state.
Figure 7-3
shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured
as a multiple-host port that becomes authorized as soon as one client is authenticated. When the port is
authorized, all other hosts indirectly attached to the port are granted access to the network. If the port
becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch
denies access to the network to all of the attached clients. In this topology, the wireless access point is
responsible for authenticating the clients attached to it, and the wireless access point acts as a client to
the switch.
Figure 7-3
Wireless LAN Example
Configuring 802.1X Authentication
The section describes how to configure 802.1X port-based authentication on your switch. It contains this
configuration information:
•
Default 802.1X Configuration, page 7-6
•
802.1X Configuration Guidelines, page 7-7
•
Enabling 802.1X Authentication, page 7-8
(required)
•
Configuring the Switch-to-RADIUS-Server Communication, page 7-9
(required)
•
Enabling Periodic Re-Authentication, page 7-10
(optional)
•
Manually Re-Authenticating a Client Connected to a Port, page 7-11
(optional)
•
Changing the Quiet Period, page 7-11
(optional)
•
Changing the Switch-to-Client Retransmission Time, page 7-12
(optional)
•
Setting the Switch-to-Client Frame-Retransmission Number, page 7-13
(optional)
•
Enabling Multiple Hosts, page 7-13
(optional)
•
Resetting the 802.1X Configuration to the Default Values, page 7-14
(optional)
Wireless clients
Access point
Catalyst 3550 switch
Authentication
server
(RADIUS)
65405