49-13
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
Figure 49-6
Message Exchange during MAC Authentication Bypass
•
The authentication-failed VLAN is used only with dot1x-authentication-failed users. MAB is not attempted with
dot1x-authentication-failed users. If 802.1X authentication fails, a port moves to the authentication-failed VLAN (if
configured) whether MAB is configured or not.
•
When both MAB and guest VLAN are configured and no EAPOL packets are received on a port, the 802.1X state-machine
is moved to a MAB state where it opens the port to listen to traffic and grab MAC addresses. The port remains in this state
forever waiting to see a MAC on the port. A detected MAC address that fails authorization causes the port to be moved to
the guest VLAN if configured.
While in a guest VLAN, a port is open to all traffic on the specified guest VLAN. Non-802.1X supplicants that normally
would be authorized but are in guest VLAN due to the earlier detection of a device that failed authorization, would remain
in the guest VLAN indefinitely. However, loss of link or the detection of an EAPOL on the wire causes a transition out of
the guest VLAN and back to the default 802.1X mode.
•
Once a new MAC is authenticated by MAB, the responsibility to limit access belongs to the 802.1X authenticator (or port
security) to secure the port. The 802.1X default host parameter is defined only for a single host. If the port is changed to
multiple- user host, port security must be used to enforce the number of MAC addresses allowed through this port.
•
Catalyst 4500 series switch supports MAB with VVID, with the restriction that the MAC address appears on a port data
VLAN only. All IP phone MACs learned using CDP are allowed on voice VLANs.
•
MAB and VMPS are mutually exclusive because their functionality overlaps.
Using 802.1X with Web-Based Authentication
The web-based authentication feature, known as Web Authentication Proxy, allows you to authenticate end users on host
systems that do not run the IEEE 802.1X supplicant.
When configuring web-based authentication, consider these guidelines:
•
Fallback to web-based authentication is configured on switch ports in access mode. Ports in trunk mode are not supported.
EAPOL-Request/Identity
EAPOL-Request/Identity
EAPOL-Request/Identity
RADIUS Access-Request
(Device MAC)
RADIUS Access-Request
RADIUS Access-Request
RADIUS Accept
Packet
(Device MAC)
181377
Port
Authorized
Client
Workstation
Catalyst 4500
Network Access Switch
RADIUS
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...