z
The switch sends authentication triggering request (EAP-Request/Identity) packets to all the
802.1x-enabled ports.
z
After the maximum number retries have been made and there are still ports that have not sent any
response back, the switch will then add these ports to the guest VLAN.
z
Users belonging to the guest VLAN can access the resources of the guest VLAN without being
authenticated. But they need to be authenticated when accessing external resources.
Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function.
Refer to
AAA Operation
for detailed information about the dynamic VLAN delivery function.
Enabling 802.1x re-authentication
802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have
passed authentication. With 802.1x re-authentication enabled, the switch can monitor the connection
status of users periodically. If the switch receives no re-authentication response from a user in a period
of time, it tears down the connection to the user. To connect to the switch again, the user needs to
initiate 802.1x authentication with the client software again.
z
When re-authenticating a user, a switch goes through the complete authentication process. It
transmits the username and password of the user to the server. The server may authenticate the
username and password, or, however, use re-authentication for only accounting and user
connection status checking and therefore does not authenticate the username and password any
more.
z
An authentication server running CAMS authenticates the username and password during
re-authentication of a user in the EAP authentication mode but does not in PAP or CHAP
authentication mode.
Figure 28-10
802.1x re-authentication
PC
Internet
PC
PC
RADIUS
Server
Switch
802.1x re-authentication can be enabled in one of the following two ways:
28-11