User Guide

ManualsBrandsCisco Systems ManualsOtherEA6500

351

352

353

354

355

356

357

358

359

360

25-5

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 25 Configuring IEEE 802.1X Port-Based Authentication

Default 802.1X Port-Based Authentication Configuration

In a point-to-point configuration (see Figure 25-1 on page 25-2), only one client can be connected to the

802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.

If a client leaves or is replaced with another client, the switch changes the port link state to down, and

the port returns to the unauthorized state.

Figure 25-3 shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured

as a multiple-host port that becomes authorized as soon as one client is authenticated. When the port is

authorized, all other hosts indirectly attached to the port are granted access to the network. If the port

becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the switch

denies access to the network to all of the attached clients. In this topology, the wireless access point is

responsible for authenticating the clients attached to it, and the wireless access point acts as a client to

the switch.

Figure 25-3 Wireless LAN Example

Default 802.1X Port-Based Authentication Configuration

Table 25-1 shows the default 802.1X configuration.

Wireless clients

Access point

Catalyst switch

Cisco Router

Authentication

server

(RADIUS)

79550

Table 25-1 Default 802.1X Configuration

Feature Default Setting

Authentication, authorization, and

accounting (AAA)

Disabled

RADIUS server IP address None specified

RADIUS server UDP authentication port 1812

RADIUS server key None specified

Per-interface 802.1X protocol enable state Disabled (force-authorized)

Note The port transmits and receives normal traffic

without 802.1X-based authentication of the

client.

Periodic reauthentication Disabled

Number of seconds between

reauthentication attempts

3600 seconds

Quiet period 60 seconds (number of seconds that the switch remains in

the quiet state following a failed authentication exchange

with the client)