Dell POWEREDGE M1000E User Manual

10-4

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

•

If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass
is enabled, the switch grants the client access to the network by putting the port in the
critical-authentication state in the RADIUS-configured or the user-specified access VLAN.

Note

Inaccessible authentication bypass is also referred to as critical authentication or the AAA fail
policy.

Figure 10-2

shows the authentication process.

If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see the

“Using Multidomain

Authentication” section on page 10-26

.

Figure 10-2

Authentication Flowchart

141679

Yes

No

Client
identity is
invalid

All authentication
servers are down.

All authentication
servers are down.

Client
identity is
valid

The switch gets an

EAPOL message,

and the EAPOL

message

exchange begins.

Yes

No

1

1

1

1 = This occurs if the switch does not detect EAPOL packets from the client.

Client MAC
address
identity
is invalid.

Client MAC
address
identity
is valid.

Is the client IEEE

802.1x capable?

Start IEEE 802.1x port-based

authentication.

Use inaccessible

authentication bypass

(critical authentication)

to assign the critical

port to a VLAN.

IEEE 802.1x authentication

process times out.

Is MAC authentication

bypass enabled?

Use MAC authentication

bypass.

Assign the port to

a guest VLAN.

Start

Done

Assign the port to

a VLAN.

Done

Done

Assign the port to

a VLAN.

Done

Assign the port to

a restricted VLAN.

Done