Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
6-22
Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide
380261-003
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
• When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is
equal to a voice VLAN.
• The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports,
dynamic ports, or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
• After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected,
you might need to get a host IP address from a DHCP server. You can change the settings for
restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the
client times out and tries to get a host IP address from the DHCP server. Decrease the settings for
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
–
The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
–
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
–
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN
and all the RADIUS servers are unavailable, the switch changes the port state to the critical
authentication state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only
on access ports.
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x
authentication guidelines. For more information, see the “IEEE 802.1x Authentication” section on
page 6-21.
• If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added
to the database, the switch can use MAC authentication bypass to re-authorize the port.
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.