How 802.1X Fails On A Port - Cisco Catalyst 4500 Series Configuration Manual

Chapter 44 Configuring 802.1X Port-Based Authentication

How 802.1X Fails on a Port

802.1X may fail on a port in three ways: timeout, explicit failure, and protocol timeout.
Supported Topologies
The 802.1X port-based authentication supports two topologies:
•
•
In a point-to-point configuration (see
802.1X-enabled switch port when the multiple- host mode is not enabled (the default). The switch
detects the client when the port link state changes to the up state. If a client leaves or is replaced with
another client, the switch changes the port link state to down, and the port returns to the unauthorized
state.
For 802.1X port-based authentication in a wireless LAN
port as a multiple-host port that is authorized as a wireless access point once the client is authenticated.
(See the
port is authorized, all other hosts that are indirectly attached to the port are granted access to the network.
If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the
OL-25340-01
Host Authorization— Ensures that only traffic from authorized hosts (connecting to the switch with
a supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting the supplicant switch to the authenticator switch.
Auto enablement—Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs arising from supplicant switches. At the ACS, you must configure
the Cisco AV pair as device-traffic-class=switch. For details on how to do this, see the
an Authenticator and a Supplicant Switch with NEAT" section on page
Timeout—A switch attempts 802.1X at link up but the attached endpoint is not 802.1X-capable.
After the configured number of retries and timeouts, the switch attempts the next authentication
method if one is configured (like MAB). If MAB fails, the switch deploys the Guest VLAN (also
called the no-response VLAN), if configured. The Guest VLAN is configured with the
authentication event no-response interface command.
Explicit Failure—A switch and the endpoint perform the entire 802.1X authentication sequence and
the result is an explicit failure (usually indicated by an Access-Reject from the RADIUS server to
the switch and an EAP-Failure sent from the switch to the endpoint). In this case, the switch
attempts MAB (if "authentication event failure action next-method" is configured) or deploy the
AuthFail VLAN (if "authentication event failure action authorize vlan" is configured).
Protocol Timeout—A switch and the endpoint start the 802.1X authentication process but do not
complete it. For example, the endpoint may send an 802.1X EAPoL-Start message and then stop
responding to the switch (perhaps, because the endpoint lacks a credential or because it is waiting
for end user to enter some information). In this case, the switch knows that the connected device is
EAPoL-capable, so it will not deploy the Guest VLAN after timing out. Instead, it restarts
authentication after a timeout. The switch continues to label the port as EAPoL-capable until a
physical link down event is detected. To force the switch to deploy the Guest VLAN in the case of
a protocol timeout, configure dot1x guest-vlan supplicant globally. If the port is configured for
hostmode multi-domain authentication, the switch behaves as if dot1x guest-vlan supplicant is
configured.
Point-to-point
Wireless LAN
"Resetting the 802.1X Configuration to the Default Values" section on page
Figure 44-1 on page 44-3), only one client can be connected to the
(Figure
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
"Configuring
44-85.
44-9), you must configure the 802.1X
44-92.) When the
44-25