802.1x Port-Based Authentication on a Catalyst 3560 switch

Unanswered Question
Apr 25th, 2007
User Badges:


Configuring the Catalyst 3560 to prevent unauthorized access to an enterprise LAN using 802.1x Port-Based Authentication, is there any way to allow a thin client to PXE boot off the network to obtain its OS image (ex. WinXP SP2) and still maintain secure LAN access.

When it comes to Spanning Tree, PortFast can be enabled so that packets sent to the switch are forwarded by the switch first and then Spanning Tree is run to converge the network. This allows thin clients to PXE boot successfully because the initial packets are forwarded to the LAN.

Is there any option similar to PortFast that would allow thin clients or PXE boot clients to boot successfully before 802.1x EAP authentication actually takes place? If so, would someone please describe how this would be accomplished on a Catalyst 3560.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Thu, 04/26/2007 - 05:06
User Badges:
  • Red, 2250 points or more

Hello support,

how exactly does the thin client work ? for any 802.1x implementation, you will need a dot1x supplicant like CSSC , odyssey etc, where you enter the dot1x credentials.. Only if this software is installed, the switchport sees the EAPOL frames and forwards it to the radius server. so, is this installed on ur thin client ? if not, u can configure "guest-vlan" feature of dot1x on the port, and make sure this client goes, atleast to a guest-vlan, which will have limited access.... you can refer on CCO about guest-vlans..

Hope this helps.. all the best.. rate replies if found useful..


ArdenceSupport Fri, 04/27/2007 - 11:35
User Badges:

Thanks. Yes, I understand about using the 802.1x clients, however, in this case, the thin client requires PXE to boot off its network adapter to download its bootstrap file and proceed to boot off a server containing the client's image.

The issue is that if the client is connected to an 802.1x-enabled switch port, the PXE boot packets will not be forwarded by the switch until the client is authenticated and the client cannot get authenticated until it uses the 802.1x client on its OS image to send EAPOL frames.

Currently, the client will fail authentication during PXE boot and the client's port will get placed into the Guest VLAN as you indicated, but once the client boots and attempts to re-authenticate using the 802.1x client, the switch appears to stop forwarding any packets received from the client other than EAPOL frames during the re-authentication phase, which results in the thin client losing its connection to the server hosting the client's image.

If you have any other suggestions, they would be greatly appreciated.




This Discussion