Specifications
10-6
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
78-11380-07
Chapter10 Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
• When the client logs off, the port transitions back to an unauthenticated state and all dynamic entries
in the secure host table are cleared, including the entry for the client. Normal authentication then
takes place.
• If the port is administratively shut down the port becomes unauthenticated and all dynamic entries
are removed from the secure host table.
See the“Enabling Multiple Hosts” section on page 10-15, and the “Configuring Port Security” section
on page 19-4 for more information about enabling 802.1X and port security on your switch.
Using 802.1X with VLAN Assignment
For switches running the EI, you can use VLAN assignment to limit network access for certain users.
With VLAN assignment, 802.1X-authenticated ports are assigned to a VLAN based on the username of
the client connected to that port. The RADIUS server database maintains the username-to-VLAN
mappings. After successful 802.1X authentication of the port, the RADIUS server sends the VLAN
assignment to the user.
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
• If no VLAN is supplied by the RADIUS server or AAA authorization is disabled, the port is
configured in its access VLAN after successful authentication.
• If authorization is enabled but the VLAN information from the server is not valid, the port remains
down in the unauthenticated state. This prevents ports from appearing unexpectedly in an
inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a
non-existent or internal (routed port) VLAN id, or attempting assignment to a voice VLAN ID.
• If authorization is enabled and all information from the server is valid, the port is placed in the
specified VLAN after successful authentication.
• If the multiple-hosts mode is enabled, all hosts are in the same VLAN as the first authenticated user.
• If 802.1X is disabled on the port, it is returned to the configured access VLAN.
To configure VLAN assignment you need to:
• Enable AAA
• Enable 802.1X
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = 802
–
[81] Tunnel-Private-Group-ID = VLAN NAME
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name assigned to the 802.1X-authenticated user.
See the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 9-28 for
examples of vendor-specific attributes.