Deployment Example - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Chapter 44
Configuring 802.1X Port-Based Authentication
Deployment Example
In a large campus LAN design, you might want to design the VLAN infrastructure without large Layer
2 domain. For the same employee VLAN, customers might have different VLANs at different campus
access switches. When you deploy 802.1X with VLAN assignment, it does not assign one employee
VLAN to all employees. You have to know the real VLANs configured on the switch. User distribution
allows you to send a list of VLAN or VLAN group name(s) to the switch. Your switch can then do a local
mapping to the corresponding VLAN.
Figure 44-7
For details on how to configure VLAN User Distribution, see the
Distribution" section on page
Using 802.1X with Authentication Failed VLAN Assignment
You can use authentication-failed VLAN assignment on a per-port basis to provide access for
authentication failed users. Authentication failed users are end hosts that are 802.1X- capable but do not
have valid credentials in an authentication server or end hosts that do not give any username and
password combination in the authentication pop-up window on the user side.
If a user fails the authentication process, that port is placed in the authentication-failed VLAN. The port
remains in the authentication-failed VLAN until the reauthentication timer expires. When the
reauthentication timer expires the switch starts sending the port reauthentication requests. If the port
fails reauthentication it remains in the authentication-failed VLAN. If the port is successfully
reauthenticated, the port is moved either to the VLAN sent by RADIUS server or to the newly
authenticated ports configured VLAN; the location depends on whether RADIUS is configured to send
VLAN information.
When enabling periodic reauthentication (see the
Note
page
assign the reauthentication timer value.
OL-25340-01
802.1X with VLAN User Distribution
44-66.
44-78), only local reauthentication timer values are allowed. You cannot use a RADIUS server to
(Figure
44-7).
"Enabling Periodic Reauthentication" section on
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
"Configuring 802.1X with VLAN User
44-17
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
