Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

191

192

193

194

195

196

197

198

199

200

8-8

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter8 Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put

into the configured access VLAN.

If an 802.1X port is authenticated and put in the RADIUS server assigned VLAN, any change to the port

access VLAN configuration does not take effect.

The 802.1X with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with

dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).

To configure VLAN assignment you need to perform these tasks:

• Enable AAA authorization by using the network keyword to allow interface configuration from the

RADIUS server.

• Enable 802.1X. (The VLAN assignment feature is automatically enabled when you configure

802.1X on an access port).

• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return

these attributes to the switch:

–

[64] Tunnel-Type = VLAN

–

[65] Tunnel-Medium-Type = 802

–

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802

(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated

user.

For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS

Attributes” section on page 7-29.

Using 802.1X with Guest VLAN

You can configure a guest VLAN for each 802.1X port on the switch to provide limited services to clients

(for example, how to download the 802.1X client). These clients might be upgrading their system for

802.1X authentication, and some hosts, such as Windows 98 systems, might not be 802.1X-capable.

When the authentication server does not receive a response to its EAPOL request/identity frame, clients

that are not 802.1X-capable are put into the guest VLAN for the port, if one is configured. However, the

server does not grant 802.1X-capable clients that fail authentication access to the network. Any number

of hosts are allowed access when the switch port is moved to the guest VLAN. If an 802.1X-capable host

joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state

in the user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1X guest

VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.

For more information, see the “Configuring a Guest VLAN” section on page 8-18.