49-16
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
When the authentication server returns more than one VLAN group name or VLANs, this feature attempts to distribute users
evenly across those groups. It internally maintains the count of users assigned to each VLAN on that switch by authentication
or port security. Based on this information, this feature assigns a newly authenticated user to the least loaded VLAN on that
switch among all the VLANs or VLAN group names obtained from the RADIUS server.
This VLAN distribution considers the load of all the valid VLANs only during initial user authentication, and not during
reassignment. When some of the existing authenticated users are removed, the feature does not attempt to redistribute the
remaining authenticated users. Group distribution does not guarantee perfect load distribution all the time.
Deployment Example
In a large campus LAN design, you might want to design the VLAN infrastructure without large Layer 2 domain. For the same
employee VLAN, customers might have different VLANs at different campus access switches. When you deploy 802.1X with
VLAN assignment, it does not assign one employee VLAN to all employees. You have to know the real VLANs configured on
the switch. User distribution allows you to send a list of VLAN or VLAN group name(s) to the switch. Your switch can then
do a local mapping to the corresponding VLAN. (
).
Figure 49-7
802.1X with VLAN User Distribution
For details on how to configure VLAN User Distribution, see the
“Configuring 802.1X with VLAN User Distribution” section
Using 802.1X with Authentication Failed VLAN Assignment
You can use authentication-failed VLAN assignment on a per-port basis to provide access for authentication failed users.
Authentication failed users are end hosts that are 802.1X- capable but do not have valid credentials in an authentication server
or end hosts that do not give any username and password combination in the authentication pop-up window on the user side.
If a user fails the authentication process, that port is placed in the authentication-failed VLAN. The port remains in the
authentication-failed VLAN until the reauthentication timer expires. When the reauthentication timer expires the switch starts
sending the port reauthentication requests. If the port fails reauthentication it remains in the authentication-failed VLAN. If the
port is successfully reauthenticated, the port is moved either to the VLAN sent by RADIUS server or to the newly authenticated
ports configured VLAN; the location depends on whether RADIUS is configured to send VLAN information.
Содержание Catalyst 4500 Series
Страница 2: ......
Страница 4: ......
Страница 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...