User's Manual
13-5
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames 
from the client are dropped. If the client does not receive an EAP-request/identity frame after three 
attempts to start authentication, the client sends frames as if the port is in the authorized state. A port in 
the authorized state effectively means that the client has been successfully authenticated. For more 
information, see the “Ports in Authorized and Unauthorized States” section on page 13-9.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames 
between the client and the authentication server until authentication succeeds or fails. If the 
authentication succeeds, the switch port becomes authorized. If the authentication fails, authentication 
can be retried, the port might be assigned to a VLAN that provides limited services, or network access 
is not granted. For more information, see the 
“Ports in Authorized and Unauthorized States” section on 
page 13-9.
The specific exchange of EAP frames depends on the authentication method being used. Figure 13-3 
shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) 
authentication method with a RADIUS server.
Figure 13-3 Message Exchange
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC 
authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet 
packet from the client. The switch uses the MAC address of the client as its identity and includes this 
information in the RADIUS-access/request frame that is sent to the RADIUS server. After the server 
sends the switch the RADIUS-access/accept frame (authorization is successful), the port becomes 
authorized. If authorization fails and a guest VLAN is specified, the switch assigns the port to the guest 
VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops 
the MAC authentication bypass process and stops 802.1x authentication.
101228
Client
Port Authorized
Port Unauthorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/OTP
EAP-Response/OTP
EAP-Success
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
EAPOL-Logoff
Authentication
server
(RADIUS)










