Cisco 300 Series Cli Manual page 56

802. 1 X Commands
OL-32830-01 Command Line Interface Reference Guide
is the RADIUS assigned VLAN or the unauthenticated VLANs. See the
radius-attributes vlan
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Sessions Mode
Unlike the single-host and multi-host modes (port-based modes) the
multi-sessions mode manages the authentication status for each host connected
to the port (session-based mode). If the multi-sessions mode is configured on a
port the port does have any authentication status. Any number of hosts can be
authorized on the port. The
number of authorized hosts allowed on the port.
See "Dependencies Between Multi-Session Mode and System Mode" for more
information about the multi-sessions mode.
In Sx300 in switch mode each authorized client requires a TCAM rule. If there is no
available space in the TCAM, the authentication is rejected.
When using the dot1x host-mode command to change the port mode to
single-host or multi-host when authentication is enabled, the port state is set to
unauthorized.
If the dot1x host-mode command changes the port mode to multi-session when
authentication is enabled, the state of all attached hosts is set to unauthorized.
To change the port mode to single-host or multi-host, set the port (dot1x
port-control) to force-unauthorized, change the port mode to single-host or
multi-host, and set the port to authorization auto.
In Sx300 multi-sessions mode cannot be configured on the same interface
together with Policy Based VLANs configured by the following commands:
Tagged traffic belonging to the unauthenticated VLANs is always bridged
regardless if a host is authorized or not.
When the guest VLAN is enabled, untagged and tagged traffic from unauthorized
hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.
Traffic from an authorized hosts is bridged in accordance with the port static
configuration. A user can specify that untagged and tagged traffic from the
authorized host not belonging to the unauthenticated VLANs will be remapped to
a VLAN that is assigned by a RADIUS server during the authentication process.
See the dot1x radius-attributes vlan
assignment at a port.
The switch does not remove from FDB the host MAC address learned on the port
when its authentication status is changed from authorized to unauthorized. The
MAC address will be removed after the aging timeout expires.
command to enable RADIUS VLAN assignment at a port.
dot1x max-hosts
command to enable RADIUS VLAN
command can limit the maximum
2
dot1x
56