Cisco 350 Series Administration Manual page 532

Security: 802.1X Authentication
Overview
Unauthenticated Traffic
With Guest VLAN
Untagged
Full multi-
Frames are
re-mapped to
sessions
the guest
VLAN
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
Without Guest VLAN
Tagged Untagged
Frames Frames are
are re- dropped
mapped to
the guest
VLAN
unless
they
belongs to
the
unauthent
icated
VLANs
Switch as 802.1x Supplicant
In addition to its capacity as an 802.1x authenticator, the switch itself can be configured as an
802.1x supplicant seeking port access permission from a neighbor. The supplicant supports the
EAP MD5-Challenge method specified by RFC3748. The method authenticates a client by its
name and password.
When the supplicant is enabled on an interface, the interface becomes unauthorized. When the
802.1X authentication process succeeds, the interface state is changed to authorized.
The following events start the 802.1X supplicant authentication on a port:
• Supplicant is enabled on a port in the Up status.
• The status of the port is changed to Up and supplicant is enabled on the port.
• An EAP Identifier Request message is received on the port and the supplicant is
enabled on the port.
802.1x authenticator and supplicant cannot be configured at the same time on a single
interface.
Authenticated Traffic
With Radius VLAN
Tagged Untagged
Frames Frames are
are re-mapped to
dropped the RADIUS
unless assigned
they VLAN
belongs
to the
unauthent
icated
VLANs
Without Radius VLAN
Tagged Untagged
Frames Frames are
are re- bridged based
mapped on the static
to the VLAN
Radius configuration
VLAN
unless
they
belongs
to the
unauthent
icated
VLANs
18
Tagged
Frames
are
bridged
based on
the static
VLAN
configurat
ion
361