Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
6-6
Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
380261-003
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
The specific exchange of EAP frames depends on the authentication method being used. Figure 6-3
shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP)
authentication method with a RADIUS server.
Figure 6-3 Message Exchange
If IEEE 802.1x authentication times out while waiting for an EAPOL message exchange and MAC
authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet
packet from the client. The switch uses the MAC address of the client as its identity and includes this
information in the RADIUS-access/request frame that is sent to the RADIUS server. After the server
sends the switch the RADIUS-access/accept frame (authorization is successful), the port becomes
authorized. If authorization fails and a guest VLAN is specified, the switch assigns the port to the guest
VLAN. If the switch detects an EAPOL packet while waiting for an Ethernet packet, the switch stops
the MAC authentication bypass process and stops IEEE 802.1x authentication.
Figure 6-4 shows the message exchange during MAC authentication bypass.
119943
Client
Port Authorized
Port Unauthorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/OTP
EAP-Response/OTP
EAP-Success
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
EAPOL-Logoff
Authentication
server
(RADIUS)
Blade Switch