IEEE 802.1X Auth Fail VLAN
IEEE 802.1X Auth Fail VLAN
Last Updated: July 17, 2012
You can configure an authentication failed (auth fail) VLAN for each 802.1X port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1X-compliant and cannot access another VLAN because they fail the authentication process. An auth fail VLAN allows users without valid credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the auth fail VLAN.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for IEEE 802.1X Auth Fail VLAN
Before you configure auth fail VLAN, the switch need to be in single-host mode (see the see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1X Port-Based Authentication" chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(58)SE.
IEEE 802.1X Port-Based Network Access Control
You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the Configuring IEEE 802.1X Port-Based Authentication module.
The switch must be connected to a Cisco secure Access Control System (ACS) and RADIUS authentication, authorization, and accounting (AAA) must be configured for Web authentication. If appropriate, you must enable ACL download.
If the authentication order includes the 802.1X port authentication method, you must enable IEEE 802.1X authentication on the switch.
If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.
You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.
The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the Configuration Guide for CISCO Secure ACS.
Restrictions for IEEE 802.1X Auth Fail VLAN
Information About IEEE 802.1X Auth Fail VLAN
802.1X Authentication with Auth Fail VLAN
You can configure an auth fail VLAN for each 802.1X port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1X-compliant and cannot access another VLAN because they fail the authentication process. An auth fail VLAN allows users without valid credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the auth fail VLAN.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the auth fail VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured maximum number of authentication attempts, the port moves to the auth fail VLAN. The failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port moves into the auth fail VLAN, the failed attempt counter resets.
Users who fail authentication remain in the auth fail VLAN until the next reauthentication attempt. A port in the auth fail VLAN tries to reauthenticate at configured intervals (the default is 60 seconds). If reauthentication fails, the port remains in the auth fail VLAN. If reauthentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable reauthentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. It is recommended that you keep reauthentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event.
After a port moves to the auth fail VLAN, a simulated EAP success message is sent to the client. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1X auth fail VLAN. The auth fail VLAN feature is not supported on trunk ports; it is supported only on access ports.
Other security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on an auth fail VLAN.
How to Configure IEEE 802.1X Auth Fail VLAN
Configuring an IEEE 802.1X Auth Fail VLAN
To disable and remove the auth fail VLAN, use the no authentication event fail interface configuration command. The port returns to the default state.
Configuring the Number of Authentication Retries
You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.
Perform this optional task to configure the maximum number of allowed authentication attempts.
Configuration Examples for IEEE 802.1X Auth Fail VLAN
Example: Configuring IEEE 802.1X Auth Fail VLAN
Example: Configuring the Number of Authentication Retries
The following example specifies that after three failed authentication attempts the port is assigned to an auth fail VLAN:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/3 Switch(config-if)# authentication event fail retry 3 action authorize vlan 40 Switch(config-if)# end
Feature Information for IEEE 802.1X Auth Fail VLAN
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.