Cisco WS-C2960-24TC-L Software Guide - Page 504
x Parameters Configurable on the Switch, 802.1x VLAN Assignment Using a RADIUS Server
UPC - 882658035005
View all Cisco WS-C2960-24TC-L manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 504 highlights
Understanding How 802.1x Authentication Works Chapter 31 Configuring 802.1x Authentication 802.1x Parameters Configurable on the Switch With 802.1x, you can do the following: • Specify force-authorized port control, force-unauthorized port control, or automatic 802.1x port control • Enable or disable multiple hosts on a specific port • Enable or disable system authentication control • Specify the quiet time interval • Specify the authenticator to host retransmission time interval • Specify the back-end authenticator to host retransmission time interval • Specify the back-end authenticator to authentication server retransmission time interval • Specify the number of frames that are retransmitted from the back-end authenticator to host • Specify the automatic host reauthentication time interval • Specify the port shutdown timeout period after a security violation • Enable or disable automatic host reauthentication 802.1x VLAN Assignment Using a RADIUS Server In software release 6.3 or earlier releases, once the 802.1x host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(1) and later releases, after authentication, an 802.1x host can receive its VLAN assignment from the RADIUS server. The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could put guest users in a VLAN with limited access to the network. 802.1x authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port. The VLAN assignment feature works with the RADIUS server, which has a database of username-to-VLAN mappings. After a successful 802.1x authentication of the port, the RADIUS server sends the VLAN in which the user needs to be given access. 802.1x port behavior with the VLAN assignment feature is summarized as follows: • At linkup, the server places an 802.1x port in its original NVRAM-configured VLAN. • After linkup, the server can put the port in the RADIUS-supplied VLAN if the RADIUS-supplied VLAN is valid and active in the management domain. • If the port is currently in a different VLAN, the port is moved to the RADIUS-supplied VLAN. • If the RADIUS-supplied VLAN is not active in the management domain, the server puts the port in an inactive state. • If the RADIUS-supplied VLAN is invalid or there is a problem with the port hardware, the server moves the port to the 802.1x unauthorized state. • If you enabled the multiple hosts option on an 802.1x port, the server places all hosts in the same RADIUS-supplied VLAN received by the first authenticated user. • When an 802.1x-configured module goes down, the server clears all Enhanced Address Recognition Logic (EARL) entries for 802.1x ports. 31-6 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01