Using 802.1X With Port Security - Cisco 2950 - Catalyst Switch Configuration Manual
Software configuration guide
Hide thumbs
Also See for 2950 - Catalyst Switch:
- Command reference manual (686 pages) ,
- Software configuration manual (674 pages) ,
- Software manual (376 pages)
Table of Contents
Advertisement
Understanding 802.1x Port-Based Authentication
Figure 10-3 Wireless LAN Example
Wireless clients
Using 802.1x with Port Security
For switches running the enhanced software image (EI), you can enable an 802.1x port for port security
in either single-host or multiple-hosts mode. (You must also configure port security on the port by using
the switchport port-security interface configuration command.) When you enable port security and
802.1x on a port, 802.1x authenticates the port, and port security manages network access for all MAC
addresses, including that of the client. You can then limit the number or group of clients that can access
the network through an 802.1x port.
These are some examples of the interaction between 802.1x and port security on the switch:
•
•
•
•
•
For more information about enabling port security on your switch, see the
section on page
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
10-6
Access point
When a client is authenticated, and the port security table is not full, the client's MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but port security table is full. This can
happen if the maximum number of secure hosts has been statically configured, or if the client ages
out of the secure host table. If the client's address is aged out, its place in the secure host table can
be taken by another host.
The port security violation modes determine the action for security violations. For more
information, see the
"Security Violations" section on page
When an 802.1x client logs off, the port transitions back to an unauthenticated state, and all dynamic
entries in the secure host table are cleared, including the entry for the client. Normal authentication
then takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an 802.1x port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
When an 802.1x client address is manually removed from the port security table, we recommend
that you re-authenticate the client by entering the dot1x re-authenticate privileged EXEC
command.
22-7.
Chapter 10
Configuring 802.1x Port-Based Authentication
Authentication
server
(RADIUS)
22-8.
"Configuring Port Security"
78-11380-10
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
