Ieee 802.1X Authentication With Port Security - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
IEEE 802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x
enforces a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port
security is redundant and in some cases may interfere with expected IEEE 802.1x operations.
IEEE 802.1x Authentication with Wake-on-LAN
The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when
the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in
environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x
port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses IEEE 802.1x authentication with WoL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block
ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other
devices in the network.
If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Note
When you configure a port as unidirectional by using the authentication control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send packets to
the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both interface
configuration command, the port is access-controlled in both directions. The port does not receive packets
from or send packets to the host.
IEEE 802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address by using the MAC
authentication bypass feature. For example, you can enable this feature on IEEE 802.1x ports connected to
devices such as printers.
If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch
tries to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the MAC
address as the client identity. The authentication server has a database of client MAC addresses that are allowed
network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from
the client. The switch sends the authentication server a RADIUS-access/request frame with a username and
password based on the MAC address. If authorization succeeds, the switch grants the client access to the
network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. This process
works for most client devices; however, it does not work for clients that use an alternate MAC address format.
You can configure how MAB authentication is performed for clients with MAC addresses that deviate from
the standard format or where the RADIUS configuration requires the user name and password to differ.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Information About 802.1x Port-Based Authentication
1345
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
