9-16
Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide
OL-12247-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Inaccessible authentication bypass interacts with these features:
•
Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest
VLAN is enabled on IEEE 8021.x port, the features interact as follows:
–
If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when
the switch does not receive a response to its EAP request/identity frame or when EAPOL
packets are not sent by the client.
–
If all the RADIUS servers are not available and the client is connected to a critical port, the
switch authenticates the client and puts the critical port in the critical-authentication state in the
RADIUS-configured or user-specified access VLAN.
–
If all the RADIUS servers are not available and the client is not connected to a critical port, the
switch might not assign clients to the guest VLAN if one is configured.
–
If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
•
Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
•
IEEE 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
•
Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
•
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
•
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
In a switch stack, the stack master checks the status of the RADIUS servers by sending keepalive
packets. When the status of a RADIUS server changes, the stack master sends the information to the
stack members. The stack members can then check the status of RADIUS servers when re-authenticating
critical ports.
If the new stack master is elected, the link between the switch stack and RADIUS server might change,
and the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If
the server status changes from dead to alive, the switch re-authenticates all switch ports in the
critical-authentication state.
When a member is added to the stack, the stack master sends the member the server status.
Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
•
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of IEEE 802.1x authentication.