This chapter describes how come configure IEEE 802.1x port-based authentication. IEEE802.1x authentication avoids unauthorized devices (clients) indigenous gaining access to the network. Uneven otherwise noted, the hatchet switch refers to a standalone move or a switch stack.

You are watching: Which type of device is required to implement port authentication through a switch


Your software release might not assistance all the features documented in this module. For the latest function information and also caveats, view the release notes for your platform and also software release.

use hunterriverpei.com attribute Navigator to find information around platform support and hunterriverpei.com software picture support. To access hunterriverpei.com function Navigator, go to http:/​/​www.hunterriverpei.com/​go/​cfn. One account ~ above hunterriverpei.com is not required.


The 802.1x standard specifies a client-server-based access control and also authentication protocol that stays clear of unauthorized clients from connecting to a LAN through publicly obtainable ports unless they are appropriately authenticated. The authentication server authenticates each customer connected come a switch port prior to making accessible any services available by the move or the LAN.

Until the customer is authenticated, 802.1x accessibility control allows only Extensible Authentication Protocol over LAN (EAPOL), hunterriverpei.com discovery Protocol (CDP), and also Spanning Tree Protocol (STP) traffic v the port to i m sorry the customer is connected. After authentication is successful, typical traffic deserve to pass through the port.

Note

For finish syntax and also usage information for the regulates used in this chapter, watch the “RADIUS Commands” ar in the hunterriverpei.com IOS defense Command Reference, release 12.4 and also the command reference for this release.


Port-Based Authentication Process


When 802.1x port-based authentication is permitted and the client supports 802.1x-compliant customer software, these events occur:

If Multi Domain Authentication (MDA) is allowed on a port, this flow can be offered with some exceptions that space applicable come voice authorization.


Figure 1. Authentication Flowchart. This number shows the authentication process.
*

The move re-authenticates a customer when among these cases occurs:


Port-Based Authentication Initiation and also Message Exchange


During 802.1x authentication, the move or the client can start authentication. If you allow authentication on a harbor by utilizing the authentication port-control auto user interface configuration command, the switch initiates authentication once the link state transforms from under to increase or regularly as long as the port remains up and also unauthenticated. The switch sends an EAP-request/identity framework to the client to request its identity. Upon receipt the the frame, the client responds through an EAP-response/identity frame.

However, if throughout bootup, the customer does not get an EAP-request/identity framework from the switch, the customer can start authentication by sending an EAPOL-start frame, i m sorry prompts the switch to inquiry the client’s identity.

Note

If 802.1x authentication is not allowed or sustained on the network accessibility device, any type of EAPOL frames from the client are dropped. If the client does not get an EAP-request/identity framework after three attempts to begin authentication, the customer sends frames together if the port is in the authorized state. A harbor in the authorized state effectively way that the client has been efficiently authenticated.

When the customer supplies its identity, the switch starts its function as the intermediary, passing EAP frames between the customer and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch harbor becomes authorized. If the authentication fails, authentication can be retried, the port can be assigned to a VLAN that provides restricted services, or network access is no granted.

The particular exchange the EAP frames counts on the authentication method being used.


Figure 2. Blog post Exchange. This figure shows a post exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication an approach with a RADIUS server.
*

If 802.1x authentication times the end while waiting for one EAPOL message exchange and also MAC authentication bypass is enabled, the switch have the right to authorize the client when the switch detects an Ethernet packet indigenous the client. The switch offers the MAC deal with of the customer as that is identity and also includes this information in the RADIUS-access/request framework that is sent to the RADIUS server. ~ the server sends out the move the RADIUS-access/accept structure (authorization is successful), the harbor becomes authorized. If authorization fails and a guest VLAN is specified, the move assigns the harbor to the guest VLAN. If the move detects one EAPOL packet while wait for an Ethernet packet, the switch stops the MAC authentication bypass procedure and start 802.1x authentication.


Figure 3. Message Exchange throughout MAC Authentication Bypass. This figure shows the post exchange throughout MAC authentication bypass.
*

Table 1802.1x Features

Authentication method

Mode

Single host

Multiple host

MDA

Multiple Authentication

802.1x

VLAN assignment

Per-user ACL

Filter-ID attribute

Downloadable ACL

Redirect URL

VLAN assignment

VLAN assignment

Per-user ACL

Filter-Id attribute

Downloadable ACL

Redirect URL

VLAN assignment

Per-user ACL

Filter-Id attribute

Downloadable ACL

Redirect URL

MAC authentication bypass

VLAN assignment

Per-user ACL

Filter-ID attribute

Downloadable ACL

Redirect URL

VLAN assignment

VLAN assignment

Per-user ACL

Filter-Id attribute

Downloadable ACL

Redirect URL

VLAN assignment

Per-user ACL

Filter-Id attribute

Downloadable ACL

Redirect URL

Standalone web authentication

Proxy ACL, Filter-Id attribute, can be downloaded ACL

NAC layer 2 IP validation

Filter-Id attribute

Downloadable ACL

Redirect URL

Filter-Id attribute

Downloadable ACL

Redirect URL

Filter-Id attribute

Downloadable ACL

Redirect URL

Filter-Id attribute

Downloadable ACL

Redirect URL

Web authentication as fallback method

Proxy ACL

Filter-Id attribute

Downloadable ACL

Proxy ACL

Filter-Id attribute

Downloadable ACL

Proxy ACL

Filter-Id attribute

Downloadable ACL

Proxy ACL

Filter-Id attribute

Downloadable ACL


1 supported in hunterriverpei.com IOS relax 12.2(50)SE and later.

ACLs configured top top the switch space compatible through other tools running hunterriverpei.com IOS releases.

You can only set any as the resource in the ACL.

Note

For any kind of ACL configured because that multiple-host mode, the source portion of statement need to be any. (For example, permit icmp any type of host 10.10.1.1.)


The authentication-manager interface-configuration regulates control all the authentication methods, such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager regulates determine the priority and order the authentication methods applied to a connected host.

The authentication manager regulates control share authentication features, such together host-mode, violation mode, and the authentication timer. Generic authentication commands include the authentication host-mode, authentication violation, and authentication timer user interface configuration commands.

802.1x-specific commands start with the dot1x keyword. For example, the authentication port-control auto interface configuration command enables authentication on one interface. However, the dot1x system-authentication control an international configuration command just globally allows or disables 802.1x authentication.

Note

If 802.1x authentication is internationally disabled, other authentication methods are still enabled on the port, together as internet authentication.

The authentication manager commands provide the exact same functionality as previously 802.1x commands.

Beginning with hunterriverpei.com IOS release 12.2(55)SE, you have the right to filter the end verbose system messages created by the authentication manager. The filtered content generally relates to authentication success. You can also filter verbose messages because that 802.1x authentication and also MAB authentication. Over there is a different command for each authentication method:


Table 2Authentication Manager Commands and also Earlier 802.1x Commands

The authentication manager commands in hunterriverpei.com IOS Release12.2(50)SE or later

The indistinguishable 802.1x commands in hunterriverpei.com IOS relax 12.2(46)SE and also earlier

Description

authentication control-direction in

dot1x control-direction in

Enable 802.1x authentication v the wake-on-LAN (WoL) feature, and configure the port regulate as unidirectional or bidirectional.

authentication event

dot1x auth-fail vlan

dot1x an essential (interface configuration)



dot1x guest-vlan6

Enable the limited VLAN top top a port.

Enable the inaccessible-authentication-bypass feature.

Specify an energetic VLAN as an 802.1x guest VLAN.

authentication fallback fallback-profile

dot1x fallback fallback-profile

Configure a harbor to use web authentication together a fallback an approach for clients that do not support 802.1x authentication.

authentication host-mode

dot1x host-mode multi-host

Allow a solitary host (client) or multiple master on an802.1x-authorized port.

authentication order

mab

Provides the flexibility to specify the stimulate of authentication methods to be used.

authentication periodic

dot1x reauthentication

Enable regular re-authentication that the client.

authentication port-control force-authorized

dot1x port-control auto

Enable manual regulate of the authorization state that the port.

authentication timer

dot1x timeout

Set the 802.1x timers.

authentication violation restrict

dot1x violation-mode protect

Configure the violation settings that take place when a new maker connects come a harbor or when a new an equipment connects come a harbor after the maximum variety of devices are associated to that port.

show authentication

show dot1x

Display 802.1x statistics, bureaucratic status, and also operational standing for the move or for the specified port. Authentication manager: compatibility with previously 802.1x CLI commands


During 802.1x authentication, depending upon the switch harbor state, the switch can provide a customer access to the network. The port starts in the unauthorized state. If in this state, the port the is no configured together a voice VLAN harbor disallows all ingress and egress traffic other than for 802.1x authentication, CDP, and STP packets. As soon as a client is successfully authenticated, the port changes to the authorized state, enabling all web traffic for the client to flow normally. If the harbor is configured together a voice VLAN port, the port allows VoIP traffic and 802.1x protocol packets before the client is effectively authenticated.

If a client that go not assistance 802.1x authentication connects come an unauthorized 802.1x port, the switch requests the client’s identity. In this situation, the client does no respond to the request, the port continues to be in the not authorised state, and the customer is not granted access to the network.

In contrast, when an 802.1x-enabled client connects to a port that is not running the 802.1x standard, the customer initiates the authentication process by sending out the EAPOL-start frame. As soon as no solution is received, the customer sends the inquiry for a fixed variety of times. Since no an answer is received, the customer begins sending out frames together if the harbor is in the authorized state.

You manage the harbor authorization state by using the authentication port-control user interface configuration command and also these keywords:

Note

In Session conscious Networking mode, the authentication port-control command is access-session port-control.

If the client is efficiently authenticated (receives one Accept frame from the authentication server), the port state alters to authorized, and all frames from the authenticated customer are enabled through the port. If the authentication fails, the port stays in the not authorised state, but authentication deserve to be retried. If the authentication server can not be reached, the switch can resend the request. If no solution is got from the server after ~ the specified number of attempts, authentication fails, and network accessibility is not granted.

When a customer logs off, it sends out an EAPOL-logoff message, resulting in the switch harbor to adjust to the not authorised state.

If the connect state the a port transforms from up to down, or if one EAPOL-logoff frame is received, the port returns come the innocuous state.


If a switch is added to or eliminated from a switch stack, 802.1x authentication is not affected as long as the IP connectivity in between the RADIUS server and also the stack remains intact. This statement additionally applies if the stack grasp is eliminated from the move stack. Keep in mind that if the stack master fails, a stack member becomes the new stack understand by making use of the election process, and also the 802.1x authentication procedure continues as usual.

If IP connectivity to the RADIUS server is interrupted due to the fact that the switch that was connected to the server is removed or fails, these occasions occur:

If the switch that failed come up and rejoins the switch stack, the authentications might or might not fail depending upon the boot-up time and whether the connectivity to the RADIUS server is re-established by the time the authentication is attempted.

To protect against loss that connectivity to the RADIUS server, you should ensure that there is a redundant connection to it. Because that example, you deserve to have a redundant connection to the stack master and also another come a ridge member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server.


You deserve to configure an 802.1x port for single-host or because that multiple-hosts mode. In single-host mode, just one client can be connected to the 802.1x-enabled move port. The move detects the client by sending out an EAPOL framework when the port connect state alters to the up state. If a client leaves or is replaced with one more client, the switch changes the port link state to down, and the harbor returns come the unauthorized state.

In multiple-hosts mode, you can affix multiple hosts to a single 802.1x-enabled port. In this mode, only among the attached clients must be authorized for all clients to it is in granted network access. If the harbor becomes unauthorized (re-authentication stops working or one EAPOL-logoff blog post is received), the move denies network access to every one of the attached clients. In this topology, the wireless access point is responsible because that authenticating the clients attached to it, and also it additionally acts as a client to the switch.


Figure 4. Multiple hold Mode Example. This figure shows 802.1x port-based authentication in a wireless LAN.
*

Multiple-authentication (multiauth) mode permits one client on the voice VLAN and also multiple authenticated client on the data VLAN. Once a hub or accessibility point is linked to an 802.1x-enabled port, multiple-authentication mode provides enhanced security end multiple-hosts mode by requiring authentication of each associated client. For non-802.1x devices, you can use MAC authentication bypass or internet authentication together the fallback an approach for individual hold authentications come authenticate different hosts through by different methods ~ above a single port.

Multiple-authentication mode additionally supports MDA use on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, relying on the VSAs received from the authentication server.

Note

Guest VLAN and authentication-failed VLAN attributes are supported for port configured in multiple-authentication mode.

Beginning with hunterriverpei.com IOS release 12.2(55)SE, you have the right to assign a RADIUS-server-supplied VLAN in multi-auth mode, under this conditions:


When a MAC resolve is authenticated ~ above one switch port, that deal with is not allowed on an additional authentication manager-enabled port of the switch. If the move detects that exact same MAC attend to on an additional authentication manager-enabled port, the deal with is not allowed.

There are cases where a MAC deal with might need to move from one port to another on the exact same switch. For example, as soon as there is another maker (for example a hub or one IP phone) between an authenticated host and a move port, you could want come disconnect the host from the maker and affix it straight to one more port on the exact same switch.

You have the right to globally allow MAC relocate so the device is reauthenticated ~ above the brand-new port. When a host moves to a 2nd port, the session on the first port is deleted, and also the organize is reauthenticated top top the new port.

MAC move is sustained on all host modes. (The authenticated host have the right to move to any kind of port top top the switch, no matter which host mode is allowed on the that port.)

When a MAC deal with moves indigenous one port to another, the switch terminates the authenticated conference on the original port and initiates a brand-new authentication sequence on the new port.

The MAC relocate feature applies to both voice and data hosts.

Note

In open up authentication mode, a MAC address is immediately moved indigenous the initial port come the new port, v no need for authorization top top the new port.


Beginning v hunterriverpei.com IOS relax 12.2(55)SE, the MAC replace feature can be configured to resolve the violation that occurs as soon as a hold attempts to attach to a harbor where another host was previously authenticated.

Note

This feature does not apply to port in multi-auth mode, since violations space not prompted in that mode. That does not use to harbor in multiple host mode, because in the mode, only the first host requires authentication.

If friend configure the authentication violation user interface configuration command with the replace keyword, the authentication process on a port in multi-domain mode is:

If a harbor is in open authentication mode, any new MAC attend to is immediately included to the MAC address table.


The info sent to the RADIUS server is represented in the kind of Attribute-Value (AV) pairs. This AV pairs carry out data for various applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are instantly sent by a switch the is configured because that 802.1x accounting. Three species of RADIUS bookkeeping packets are sent out by a switch:

You can view the AV bag that room being sent out by the switch by beginning the debug radius audit privileged EXEC command. For an ext information around this command, watch the hunterriverpei.com IOS Debug Command Reference, release 12.4.


This table list the AV pairs and also when they are sent are sent out by the switch.Table 3Accounting AV Pairs

Attribute Number

AV Pair Name

START

INTERIM

STOP

Attribute<1>

User-Name

Always

Always

Always

Attribute<4>

NAS-IP-Address

Always

Always

Always

Attribute<5>

NAS-Port

Always

Always

Always

Attribute<8>

Framed-IP-Address

Never

Sometimes3

Sometimes

Attribute<25>

Class

Always

Always

Always

Attribute<30>

Called-Station-ID

Always

Always

Always

Attribute<31>

Calling-Station-ID

Always

Always

Always

Attribute<40>

Acct-Status-Type

Always

Always

Always

Attribute<41>

Acct-Delay-Time

Always

Always

Always

Attribute<42>

Acct-Input-Octets

Never

Always

Always

Attribute<43>

Acct-Output-Octets

Never

Always

Always

Attribute<44>

Acct-Session-ID

Always

Always

Always

Attribute<45>

Acct-Authentic

Always

Always

Always

Attribute<46>

Acct-Session-Time

Never

Always

Always

Attribute<49>

Acct-Terminate-Cause

Never

Never

Always

Attribute<61>

NAS-Port-Type

Always

Always

Always


3 The Framed-IP-Address AV pair is sent only if a valid Dynamic Host control Protocol (DHCP) binding exists because that the organize in the DHCP snooping bindings table.

The 802.1x readiness check monitors 802.1x activity on all the move ports and also displays information around the devices associated to the ports that assistance 802.1x. You deserve to use this function to recognize if the devices associated to the move ports space 802.1x-capable. You usage an alternating authentication such as MAC authentication bypass or net authentication for the devices that perform not assistance 802.1x functionality.

This attribute only functions if the supplicant ~ above the client supports a query with the inform EAP an alert packet. The client must respond in ~ the 802.1x timeout value.

The 802.1x readiness examine is enabled on all ports that have the right to be configured because that 802.1x. The readiness examine is not available on a port that is configured together dot1x force-unauthorized.

Follow this guidelines to enable the readiness examine on the switch:


RADIUS security servers are determined by your hostname or IP address, hostname and specific UDP port numbers, or IP attend to and specific UDP harbor numbers. The combination of the IP deal with and UDP harbor number creates a distinctive identifier, which permits RADIUS requests to be sent to lot of UDP harbor on a server in ~ the exact same IP address. If two various host entries on the exact same RADIUS server space configured because that the exact same service—for example, authentication—the second host entry configured acts together the fail-over backup to the an initial one. The RADIUS hold entries room tried in the order the they to be configured.


The move supports 802.1x authentication v VLAN assignment. After successful 802.1x authentication that a port, the RADIUS server sends out the VLAN assignment come configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based upon the username that the customer connected come the switch port. You deserve to use this feature to border network access for specific users.

Voice an equipment authentication is supported with multidomain hold mode. When a voice maker is authorized and also the RADIUS server reverted an authorized VLAN, the voice VLAN on the harbor is configured to send and also receive packets ~ above the assigned voice VLAN. Voice VLAN assignment behaves the very same as data VLAN assignment on multidomain authentication (MDA)-enabled ports.

When configured ~ above the switch and the RADIUS server, 802.1x authentication with VLAN assignment has these characteristics:

When the harbor is in the pressure authorized, force unauthorized, unauthorized, or shutdown state, that is put into the configured access VLAN.

If one 802.1x harbor is authenticated and also put in the RADIUS server-assigned VLAN, any readjust to the port access VLAN construction does no take effect. In the case of a multidomain host, the same applies to voice devices when the harbor is fully authorized with these exceptions:

The 802.1x authentication with VLAN assignment feature is not supported on tribe ports, dynamic ports, or v dynamic-access harbor assignment through a VLAN Membership plan Server (VMPS).

To configure VLAN assignment you must perform this tasks:

Assign vendor-specific tunnel characteristics in the RADIUS server. The RADIUS server have to return these characteristics to the switch:Attribute <64> must contain the worth VLAN (type 13). Attribute <65> should contain the value 802 (type 6). Attribute <81> states the VLAN surname or VLAN id assigned to the IEEE802.1x-authenticated user.

You can permit per-user accessibility control perform (ACLs) to provide different levels of network accessibility and service to one 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an 802.1x port, the retrieves the ACL attributes based on the user identity and also sends them come the switch. The switch applies the features to the 802.1x port for the term of the user session. The switch gets rid of the per-user ACL configuration when the conference is over, if authentication fails, or if a link-down problem occurs. The switch does not conserve RADIUS-specified ACLs in the running configuration. As soon as the port is unauthorized, the switch clears the ACL native the port.

You have the right to configure router ACLs and input port ACLs on the same switch. However, a port ACL take away precedence end a router ACL. If you use input port ACL come an user interface that belongs come a VLAN, the harbor ACL take away precedence end an intake router ACL applied to the VLAN interface. Just arrived packets got on the port to i beg your pardon a harbor ACL is used are filtered through the port ACL. Just arrive routed packets received on various other ports space filtered through the router ACL. Outgoing routed packets space filtered by the router ACL. To protect against configuration conflicts, you have to carefully setup the user profiles stored top top the RADIUS server.

RADIUS support per-user attributes, consisting of vendor-specific attributes. This vendor-specific qualities (VSAs) are in octet-string format and also are passed come the switch throughout the authentication process. The VSAs supplied for per-user ACLs room inacl# for the ingress direction and outacl#n> for the egress direction. MAC ACLs space supported just in the ingress direction. The switch supports VSAs just in the ingress direction. The does not assistance port ACLs in the egress direction on great 2 ports.

Use only the prolonged ACL syntax layout to specify the per-user configuration stored top top the RADIUS server. Once the interpretations are passed native the RADIUS server, lock are produced by using the prolonged naming convention. However, if you usage the Filter-Id attribute, that can allude to a standard ACL.

You can use the Filter-Id attribute come specify one inbound or outbound ACL the is currently configured ~ above the switch. The attribute includes the ACL number followed by .in because that ingress filtering or .out for egress filtering. If the RADIUS server go not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Since of minimal support that hunterriverpei.com IOS access lists top top the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 come 199 and also 1300 to 2699 (IP standard and also IP expanded ACLs).

Only one 802.1x-authenticated user is sustained on a port. If the multiple-hosts mode is allowed on the port, the per-user ACL attribute is disabled because that the linked port.

The maximum dimension of the per-user ACL is 4000 ASCII characters but is restricted by the maximum size of RADIUS-server per-user ACLs.

To configure per-user ACLs:


You have the right to download ACLs and also redirect URLs from a RADIUS server to the switch during 802.1x authentication or MAC authentication bypass the the host. Friend can additionally download ACLs during web authentication.

Note

A can be downloaded ACL is likewise referred to together a dACL.

If an ext than one hold is authenticated and the hold is in single-host, MDA, or multiple-authentication mode, the switch transforms the resource address of the ACL come the organize IP address.

You can apply the ACLs and redirect URLs to every the devices connected to the 802.1x-enabled port.

If no ACLs are downloaded during 802.1x authentication, the switch uses the static default ACL top top the harbor to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL just to the phone call as part of the authorization policies.

Beginning through hunterriverpei.com IOS release 12.2(55)SE, if over there is no revolution ACL top top a port, a dynamic auth-default ACL is created, and policies space enforced before dACLs room downloaded and applied.

Note

The auth-default-ACL does not show up in the to run configuration.

The auth-default ACL is produced when at least one host with an authorization policy is detect on the port. The auth-default ACL is gotten rid of from the port once the last authenticated session ends. You can configure the auth-default ACL by using the ip access-list extended auth-default-acl an international configuration command.

Note

The auth-default-ACL does not support hunterriverpei.com exploration Protocol (CDP) bypass in the solitary host mode. You have to configure a revolution ACL top top the interface to support CDP bypass.

The 802.1x and MAB authentication methods support 2 authentication modes, open and also closed. If over there is no static ACL top top a port in closed authentication mode:

If there is no revolution ACL on a port in open authentication mode:

To control access for hosts with no authorization policy, you can configure a directive. The supported values for the directive room open and default. Once you configure the open directive, all traffic is allowed. The default directive subjects traffic come the access listed by the port. You have the right to configure the directive either in the user file on the AAA server or on the switch. To configure the directive ~ above the AAA server, usage the authz-directive = worldwide command. Come configure the directive ~ above the switch, use the epm access-control open global configuration command.

Note

The default value of the directive is default.

If a organize falls ago to web authentication ~ above a harbor without a configured ACL:

The access control entries (ACEs) in the fallback ACL space converted to per-user entries. If the configured fallback file does not incorporate a fallback ACL, the hold is topic to the auth-default-ACL connected with the port.

Note

If you use a custom logo with net authentication and it is save on an outside server, the harbor ACL need to allow access to the exterior server prior to authentication. You have to either configure a static port ACL or change the auth-default-ACL to provide appropriate accessibility to the outside server.


The switch uses these hunterriverpei.com-av-pair VSAs:

The switch offers the hunterriverpei.comSecure-defined-ACL attribute worth pair to intercept an HTTP or HTTPS inquiry from the end point. The switch climate forwards the client web browser to the specified redirect address. The url-redirect AV pair top top the hunterriverpei.com certain ACS contains the URL to which the web internet browser is redirected. The url-redirect-acl attribute value pair consists of the surname or number of an ACL that mentions the HTTP or HTTPS traffic to redirect.

Note

If a redirect URL is configured for a client on the authentication server, a default harbor ACL top top the connected client switch harbor must likewise be configured


You can set the hunterriverpei.comSecure-Defined-ACL Attribute-Value (AV) pair top top the hunterriverpei.com secure ACS through the RADIUS hunterriverpei.com-av-pair vendor-specific features (VSAs). This pair states the names of the downloadable ACLs on the hunterriverpei.com for sure ACS v the #ACL#-IP-name-number attribute.

If a can be downloaded ACL is configured for a customer on the authentication server, a default port ACL on the connected customer switch port must also be configured.

If the default ACL is configured ~ above the switch and also the hunterriverpei.com for sure ACS sends a host-access-policy to the switch, it applies the policy to web traffic from the host associated to a switch port. If the plan does not apply, the switch uses the default ACL. If the hunterriverpei.com secure ACS sends out the move a can be downloaded ACL, this ACL take away precedence end the default ACL that is configured on the move port. However, if the switch receives an host access policy from the hunterriverpei.com certain ACS however the default ACL is no configured, the authorization failure is declared.


You deserve to use VLAN ID-based MAC authentication if you great to authenticate hosts based upon a revolution VLAN ID instead of a downloadable VLAN. Once you have actually a revolution VLAN plan configured on your switch, VLAN info is sent to one IAS (Microsoft) RADIUS server in addition to the MAC resolve of each hold for authentication. The VLAN i would configured top top the associated port is supplied for MAC authentication. By utilizing VLAN ID-based MAC authentication with an IAS server, you have the right to have a fixed number of VLANs in the network.

The feature also limits the variety of VLANs monitored and also handled by STP. The network can be controlled as a solved VLAN.

Note

This feature is not sustained on hunterriverpei.com ACS Server. (The ACS server ignores the sent VLAN-IDs for brand-new hosts and also only authenticates based on the MAC address.)


You can configure a guest VLAN because that each 802.1x harbor on the move to provide limited services to clients, together as downloading and install the 802.1x client. This clients might be upgrading their system for 802.1x authentication, and some hosts, together as windows 98 systems, might not it is in IEEE802.1x-capable.

When you permit a guest VLAN on one 802.1x port, the switch assigns client to a guest VLAN as soon as the switch does not receive a an answer to that EAP request/identity frame or once EAPOL packets are not sent by the client.

The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface throughout the lifetime of the link, the switch determines that the machine connected come that interface is one IEEE802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL history is clearing if the interface link status walk down. If no EAPOL packet is recognize on the interface, the interface changes to the guest VLAN state.

If the move is trying come authorize one 802.1x-capable voice an equipment and the AAA server is unavailable, the authorization attempt fails, but the detection the the EAPOL packet is conserved in the EAPOL history. Once the AAA server becomes available, the switch authorizes the voice device. However, the move no longer enables other devices access to the guest VLAN. To protect against this situation, use one of these command sequences:

Use a minimal VLAN to enable clients the failed authentication access to the network by entering the dot1x auth-fail vlan vlan-id user interface configuration command.

If gadgets send EAPOL packets come the switch throughout the life time of the link, the move no longer allows clients that fail authentication accessibility to the guest VLAN.

Note

If an EAPOL packet is detected after ~ the user interface has adjusted to the guest VLAN, the interface reverts to an unauthorized state, and 802.1x authentication restarts.

When the switch harbor is relocated to the guest VLAN, the variety of allowed 802.1x-incapable master is determined by the configuredhost-mode. If an 802.1x-capable customer joins the very same port on i m sorry the guest VLAN is configured, the harbor is put into the not authorised state in the user-configured access VLAN, and authentication is restarted.

Guest VLANs space supported top top 802.1x port in solitary host, multiple host, multi-auth and also multi-domain modes.

You can configure any active VLAN other than an RSPAN VLAN, a personal VLAN, or a voice VLAN together an 802.1x guest VLAN. The guest VLAN function is not sustained on inner VLANs (routed ports) or trunk ports; it is supported just on access ports.

The move supports MAC authentication bypass. As soon as MAC authentication bypass is enabled on an802.1x port, the switch have the right to authorize clients based upon the customer MAC resolve when IEEE802.1x authentication times out while wait for one EAPOL article exchange. After detecting a client on an802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request structure with a username and also password based on the MAC address. If authorization succeeds, the switch sponsor the client access to the network. If authorization fails, the move assigns the port to the guest VLAN if one is specified.


You can configure a minimal VLAN (also referred to as an authentication failure VLAN) because that each IEEE802.1x port on a switch stack or a move to provide minimal services to clients the cannot accessibility the guest VLAN. These clients are 802.1x-compliant and cannot accessibility another VLAN due to the fact that they fail the authentication process. A minimal VLAN permits users without precious credentials in one authentication server (typically, tourists to an enterprise) to accessibility a limited set of services. The administrator can control the services accessible to the minimal VLAN.

Note

You have the right to configure a VLAN to it is in both the guest VLAN and also the limited VLAN if you desire to carry out the same services come both varieties of users.

Without this feature, the customer attempts and also fails authentication indefinitely, and the move port continues to be in the spanning-tree blocking state. With this feature, you can configure the switch port to it is in in the limited VLAN after ~ a specified variety of authentication attempts (the default value is 3 attempts).

The authenticator counts the fail authentication attempts because that the client. When this counting exceeds the configured maximum variety of authentication attempts, the port moves come the minimal VLAN. The fail attempt count increments when the RADIUS server replies v either an EAP failure or one empty solution without one EAP packet. As soon as the port moves into the minimal VLAN, the failed attempt respond to resets.

Users that fail authentication continue to be in the limited VLAN till the next re-authentication attempt. A port in the restricted VLAN tries come re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the limited VLAN. If re-authentication is successful, the port moves either to the configured VLAN or come a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only method to restart the authentication procedure is for the port to obtain a link down or EAP logoff event. We recommend that you store re-authentication permitted if a customer might attach through a hub. When a client disconnects indigenous the hub, the port could not get the link down or EAP logoff event.

After a port moves come the restricted VLAN, a simulated EAP success post is sent to the client. This prevents clients from unlimited attempting authentication. Some clients (for example, gadgets running home windows XP) cannot implement DHCP there is no EAP success.

Restricted VLANs are supported top top 802.1x port in all hold modes and on layer 2 ports.

You deserve to configure any energetic VLAN other than an RSPAN VLAN, a main private VLAN, or a voice VLAN together an 802.1x limited VLAN. The minimal VLAN feature is not sustained on internal VLANs (routed ports) or tribe ports; that is supported only on accessibility ports.

Other defense port functions such together dynamic ARP Inspection, DHCP snooping, and IP resource guard deserve to be configured independently on a restricted VLAN.


Use the inaccessible authentication bypass feature, also referred to together critical authentication or the AAA failure policy, when the move cannot with the configured RADIUS servers and new hosts can not be authenticated. You can configure the move to connect those master to critical ports.

When a brand-new host tries to connect to the an essential port, that hold is relocated to a user-specified access VLAN, the critical VLAN. The administrator gives limited authentication to the hosts.

When the move tries come authenticate a host linked to a an essential port, the switch checks the status of the configured RADIUS server. If a server is available, the switch have the right to authenticate the host. However, if all the RADIUS servers room unavailable, the switch grants network accessibility to the host and puts the harbor in the critical-authentication state, i beg your pardon is a special case of the authentication state.


When a port is configured on any host mode and also the AAA server is unavailable, the port is climate configured to multi-host mode and also moved to the an important VLAN. To support this inaccessible bypass on multiple-authentication (multiauth) ports, use the authentication occasion server dead activity reinitialize vlan vlan-id command. When a brand-new host tries to attach to the an important port, the port is reinitialized and also all the associated hosts are moved to the user-specified access VLAN.

This command is sustained on all organize modes.


The actions of the inaccessible authentication bypass function depends on the authorization state the the port:

You have the right to configure the crucial port to reinitialize hosts and also move them the end of the crucial VLAN when the RADIUS server is again available. Once this is configured, all crucial ports in the critical-authentication state are automatically re-authenticated.


Inaccessible authentication bypass interacts with these features:

Guest VLAN—Inaccessible authentication bypass is compatible through guest VLAN. When a guest VLAN is allowed on 8021.x port, the features connect as follows:

In a switch stack, the stack understand checks the standing of the RADIUS servers by sending keepalive packets. When the standing of a RADIUS server changes, the stack grasp sends the info to the stack members. The ridge members can then check the standing of RADIUS servers when re-authenticating crucial ports.

If the new stack grasp is elected, the link between the move stack and also RADIUS server might change, and the new stack immediately sends keepalive packets to update the standing of the RADIUS servers. If the server status changes from dead come alive, the switch re-authenticates all switch ports in the critical-authentication state.

When a member is added to the stack, the stack grasp sends the member the server status.


A voice VLAN harbor is a special accessibility port linked with two VLAN identifiers:

The IP phone offers the VVID because that its voice traffic, nevertheless of the authorization state of the port. This permits the phone come work individually of IEEE802.1x authentication.

In single-host mode, only the IP phone is enabled on the voice VLAN. In multiple-hosts mode, extr clients deserve to send web traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts setting is enabled, the supplicant authentication influence both the PVID and the VVID.

Note

If an IP phone and also PC are associated to a switchport, and the harbor is configured in single- or multi-host mode, we carry out not introduce configuring the port in independent MAC authentication bypass mode. We recommend just using MAC authentication bypass together a fallback an approach to 802.1x authentication through the timeout duration set come the default of five seconds.

A voice VLAN port becomes active when over there is a link, and also the device MAC attend to appears after the very first CDP post from the IP phone. Hunterriverpei.com IP phones do not relay CDP message from other devices. As a result, if several IP phones are associated in series, the switch recognizes only the one directly associated to it. Once IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones much more than one hop away.

When IEEE 802.1x authentication is enabled on a Catalyst 3850 series switch port, you have the right to configure an access port VLAN that is likewise a voice VLAN.

Note

If you enable IEEE 802.1x authentication on an accessibility port on which a voice VLAN is configured and to which a hunterriverpei.com IP phone call is connected, the hunterriverpei.com IP phone loses connectivity come the switch for as much as 30 seconds.


The IEEE 802.1x authentication with wake-on-LAN (WoL) feature enables dormant computers to it is in powered once the switch receives a certain Ethernet frame, recognized as the magic packet. You deserve to use this feature in settings where administrators need to attach to solution that have actually been powered down.

When a organize that supplies WoL is attached with an IEEE 802.1x port and the host powers off, the IEEE802.1x harbor becomes unauthorized. The port deserve to only receive and also send EAPOL packets, and also WoL magic packets cannot reach the host. When the computer is powered off, the is no authorized, and the switch harbor is no opened.

When the switch supplies IEEE 802.1x authentication with WoL, the move forwards traffic to innocuous IEEE802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPOL packets. The host have the right to receive packets but cannot send packets to other gadgets in the network.

Note

If PortFast is not allowed on the port, the port is required to the bidirectional state.

When friend configure a port as unidirectional by using the authentication control-direction in user interface configuration command, the port alters to the spanning-tree forwarding state. The port deserve to send packets come the host yet cannot obtain packets from the host.

When girlfriend configure a port as bidirectional by using the authentication control-direction both user interface configuration command, the harbor is access-controlled in both directions. The harbor does not obtain packets indigenous or send packets to the host.


You have the right to configure the switch to authorize clients based upon the customer MAC resolve by using the MAC authentication bypass feature. Because that example, you can allow this attribute on IEEE802.1x ports associated to devices such together printers.

If IEEE 802.1x authentication times the end while wait for an EAPOL an answer from the client, the switch tries to authorize the customer by making use of MAC authentication bypass.

When the MAC authentication bypass feature is permitted on an IEEE 802.1x port, the switch supplies the MAC resolve as the customer identity. The authentication server has a database of client MAC addresses the are permitted network access. After detecting a customer on an IEEE 802.1x port, the switch waits for an Ethernet packet indigenous the client. The switch sends the authentication server a RADIUS-access/request structure with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the move assigns the harbor to the guest VLAN if one is configured.

If the switch currently authorized a harbor by using MAC authentication bypass and also detects an IEEE 802.1x supplicant, the move does not unauthorize the client connected to the port. When re-authentication occurs, the switch uses the authentication or re-authentication approaches configured on the port, if the previous conference ended since the Termination-Action RADIUS attribute value is DEFAULT.

See more: Need Firing Order For 2002 Ford Ranger 3.0 Firing Order ? Need Firing Order For 2002 Ranger 3

Clients that were authorized with MAC authentication bypass have the right to be re-authenticated. The re-authentication procedure is the very same as the for clients the were authenticated with IEEE 802.1x. Throughout re-authentication, the port stays in the previously assigned VLAN. If re-authentication is successful, the move keeps the port in the very same VLAN. If re-authentication fails, the move assigns the port to the guest VLAN, if one is configured.

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute<27>) and also the Termination-Action RADIUS attribute (Attribute <29>) and also if the Termination-Action RADIUS attribute (Attribute <29>) activity is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is permitted and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass attribute to begin re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X remote Authentication Dial In User company (RADIUS) usage Guidelines.”