User's Manual
13-4
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
The switch reauthenticates a client when one of these situations occurs:
  • Periodic reauthentication is enabled, and the reauthentication timer expires.
You can configure the reauthentication timer to use a switch-specific value or to be based on values 
from the RADIUS server.
After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on 
the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS 
attribute (Attribute [29]). 
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which 
reauthentication occurs. 
The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during 
reauthentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the 
attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during 
reauthentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request), 
the session is not affected during reauthentication.
  • You manually reauthenticate the client by entering the dot1x re-authenticate interface interface-id 
privileged EXEC command.
If multidomain authentication (MDA) is enabled on a port, this flow can be used with some exceptions 
that are applicable to voice authorization. For more information on MDA, see the 
“Multidomain 
Authentication” section on page 13-10.
Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port 
numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP 
port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP 
ports on a server at the same IP address. If two different host entries on the same RADIUS server are 
configured for the same service—for example, authentication—the second host entry configured acts as 
the failover backup to the first one. The RADIUS host entries are tried in the order in which they were 
configured.
Authentication Initiation and Message Exchange
During 802.1x authentication, the switch or the client can initiate authentication. If you enable 
authentication on a port by using the authentication port-control auto interface configuration 
command, the switch initiates authentication when the link state changes from down to up or periodically 
as long as the port remains up and unauthenticated. The switch sends an EAP-request/identity frame to 
the client to request its identity. Upon receipt of the frame, the client responds with an 
EAP-response/identity frame.
However, if during boot up, the client does not receive an EAP-request/identity frame from the switch, 
the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to 
request the client’s identity.










