Configuration manual

ManualsBrandsDell ManualsComputer AccessoriesPOWEREDGE M1000E

291

292

293

294

295

296

297

298

299

300

10-35

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

the IEEE 802.1x authentication process (authentication timer inactivity or dot1x timeout

quiet-period and authentication timer reauthentication or dot1x timeout tx-period). The amount

to decrease the settings depends on the connected IEEE 802.1x client type.

• When configuring the inaccessible authentication bypass feature, follow these guidelines:

–

The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.

–

If the client is running Windows XP and the port to which the client is connected is in the

critical-authentication state, Windows XP might report that the interface is not authenticated.

–

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,

receiving an EAP-Success message on a critical port might not re-initiate the DHCP

configuration process.

–

You can configure the inaccessible authentication bypass feature and the restricted VLAN on

an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN

and all the RADIUS servers are unavailable, switch changes the port state to the critical

authentication state and remains in the restricted VLAN.

• You can configure the inaccessible bypass feature and port security on the same switch port.

• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x

restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports)

or trunk ports; it is supported only on access ports.

MAC Authentication Bypass

These are the MAC authentication bypass configuration guidelines:

• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x

authentication guidelines. For more information, see the

“IEEE 802.1x Authentication” section on

page 10-33.

• If you disable MAC authentication bypass from a port after the port has been authorized with its

MAC address, the port state is not affected.

• If the port is in the unauthorized state and the client MAC address is not the authentication-server

database, the port remains in the unauthorized state. However, if the client MAC address is added to

the database, the switch can use MAC authentication bypass to re-authorize the port.

• If the port is in the authorized state, the port remains in this state until re-authorization occurs.

Maximum Number of Allowed Devices Per Port

This is the maximum number of devices allowed on an IEEE 802.1x-enabled port:

• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with

a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice

VLAN.

• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one

IP phone is allowed for the voice VLAN.

• In multihost mode, only one IEEE 802.1x supplicant is allowed on the port, but an unlimited number

of non-IEEE 802.1x hosts are allowed on the access VLAN. An unlimited number of devices are

allowed on the voice VLAN.