User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

311

312

313

314

315

316

317

318

319

320

11-26

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the

Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute

(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass

session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled

and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to

initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X

Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”

MAC authentication bypass interacts with the features:

• IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x

authentication is enabled on the port.

• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a

guest VLAN if one is configured.

• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port

is authenticated with MAC authentication bypass.

• Port security—See the “IEEE 802.1x Authentication with Port Security” section on page 11-24.

• Voice VLAN—See the “IEEE 802.1x Authentication with Voice VLAN Ports” section on

page 11-23.

• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.

• Private VLAN—You can assign a client to a private VLAN.

• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an

IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception

st.

For more configuration information, see the “

Authentication Manager” section on page 11-8.

Network Admission Control Layer 2 IEEE 802.1x Validation

The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which

checks the antivirus condition or posture of endpoint systems or clients before granting the devices

network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:

• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action

RADIUS attribute (Attribute[29]) from the authentication server.

• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout

RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS

server.

• Set the action to be taken when the switch tries to re-authenticate the client by using the

Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the

session ends. If the value is RADIUS-Request, the re-authentication process starts.

• View the NAC posture token, which shows the posture of the client, by using the show dot1x

privileged EXEC command.

• Configure secondary private VLANs as guest VLANs.