802.1X Authentication With Wake-On-Lan; 802.1X Authentication With Mac Authentication Bypass - Cisco Catalyst 2975 Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
•
•
•
•
For more information about enabling port security on your switch, see the
section on page

802.1x Authentication with Wake-on-LAN

The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered
when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature
in environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the 802.1x port
becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to
unauthorized 802.1x ports, including magic packets. While the port is unauthorized, the switch
continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot
send packets to other devices in the network.
If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Note
When you configure a port as unidirectional by using the authentication control-direction in or dot1x
control-direction in interface configuration command, the port changes to the spanning-tree forwarding
state. The port can send packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both or dot1x
control-direction both interface configuration command, the port is access-controlled in both
directions. The port does not receive packets from or send packets to the host.

802.1x Authentication with MAC Authentication Bypass

You can configure the switch to authorize clients based on the client MAC address (see
page
on 802.1x ports connected to devices such as printers.
If 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries
to authorize the client by using MAC authentication bypass.
Catalyst 2975 Switch Software Configuration Guide
10-26
When an 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries
in the secure host table are cleared, including the entry for the client. Normal authentication then
takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an 802.1x port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
You can configure the authentication violation or dot1x violation-mode interface configuration
command so that a port shuts down, generates a syslog error, or discards packets from a new device
when it connects to an 802.1x-enabled port or when the maximum number of allowed devices have
been authenticated. For more information see the
section on page 10-37 and the command reference for this release.
23-9.
10-4) by using the MAC authentication bypass feature. For example, you can enable this feature
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
"Maximum Number of Allowed Devices Per Port"
"Configuring Port Security"
Figure 10-2 on
OL-19720-02