Cisco Catalyst 4500 Series Software Configuration Manual page 1285

Chapter 49 Configuring 802.1X Port-Based Authentication
If a non-802.1X capable client is connected to an unauthorized 802.1X port, the switch requests the client's identity. In this
situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted
access to the network. If a guest VLAN is configured on a port that connects to a client that does not support 802.1X, the port
is placed in the configured guest VLAN and in the authorized state. For more information, see the
VLANs" section on page 49-10.
In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the client initiates the
authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request a fixed
number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.
You can control the port authorization state by using the authentication port-control interface configuration command (dot1x
port-control auto command in Cisco IOS Release 12.2(46)SG and earlier releases) and these keywords:
• force-authorized—Disables 802.1X authentication and causes the port to transition to the authorized state without
requiring authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of
the client. This setting is the default.
force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by the client to
•
authenticate. The switch cannot provide authentication services to the client using the interface.
auto—Allows 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames
•
to be sent and received using the port. The authentication process begins when the link state of the port transitions from
down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying
authentication messages between the client and the authentication server. The switch can uniquely identify each client
attempting to access the network by the client's MAC address.
If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to
authorized, and all frames from the authenticated client are allowed using the port. If authentication fails, the port remains in
the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the switch can
retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails
and network access is not granted.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received by the port, the port returns to
the unauthorized state.
If Multidomain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to
voice authorization. For more information on MDA, see the
"Using Multiple Domain Authentication and Multiple Authentication" section on page
Figure 49-3 shows the authentication process.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About 802.1X Port-Based Authentication
"Using 802.1X for Guest
49-22.
49-5