11-26
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass
session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled
and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to
initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X
Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”
MAC authentication bypass interacts with the features:
• IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x
authentication is enabled on the port.
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a
guest VLAN if one is configured.
• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port
is authenticated with MAC authentication bypass.
• Port security—See the “IEEE 802.1x Authentication with Port Security” section on page 11-24.
• Voice VLAN—See the “IEEE 802.1x Authentication with Voice VLAN Ports” section on
page 11-23.
• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
• Private VLAN—You can assign a client to a private VLAN.
• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an
IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception
li
st.
For more configuration information, see the “
Authentication Manager” section on page 11-8.
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
• View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
• Configure secondary private VLANs as guest VLANs.
