802.1X authentication

roy-sam · ‎02-09-2005

Understand that dot1x can use either radius-eap or none as authentication method. However I cannot get it working with the following (No Authentication) :

> aaa authentication dot1x default none

However, my 802.1x works fine when I specify

> aaa authentication dot1x default group radius

So, why does the Cisco 3550 still prompt me for EAP authentication despite the authentication method is none?

jafrazie · ‎02-09-2005

dot1x cannot use "none" as an authentication method. This is a legacy left-over from existing aaa configs, and does not work with EAP. Currently, if EAP breaks for any reason authentication cannot complete.

Hope this helps.

zhichao · ‎03-02-2005

Hi

In that case, how do we backup the radius server? Assuming we only have one radius.

thanks

jafrazie · ‎03-03-2005

Well, assuming you only had one, and didn't build any redundancy, 802.1x would not work for any subsequent auth sessions.

What would you need it to do?

Automatically unconfigure 802.1x when RADIUS dies?

Automatically unconfigure 802.1x when RADIUS dies and place into some other VLAN, so as not to "disturb" any other auth'd clients?

Fail closed?

zhichao · ‎03-03-2005

We are not doing dynamic vlan assignment.

When Radius dies, the switch should by default authorize all the users.

If customer using dynamic vlan assignment, I will vote for the second option:

Automatically unconfigure 802.1x when RADIUS dies and place into some other VLAN, so as not to "disturb" any other auth'd clients?

maybe use Guest vlan method.