Using 802.1X With Port Security - Cisco Catalyst 4500 Series Configuration Manual

Chapter 44 Configuring 802.1X Port-Based Authentication
•
•
•
•

Using 802.1X with Port Security

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you
must configure port security by using the switchport port-security interface configuration command.)
When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security
manages the number of MAC addresses allowed on that port, including that of the client. You can use an
802.1X port with port security enabled to limit the number or group of clients that can access the
network.
For information on selecting multiple host mode, see the
Default Values" section on page
These examples describe the interaction between 802.1X and port security on a switch:
•
•
•
•
OL-25340-01
Internal VLANs that are used for Layer 3 ports cannot be configured as authentication-failed
VLANs.
The authentication-failed VLAN is supported only in single-host mode (the default port mode).
When a port is placed in an authentication-failed VLAN the user's MAC address is added to the
mac-address-table. If a new MAC address appears on the port, it is treated as a security violation.
When an authentication failed port is moved to an authentication-failed VLAN, the Catalyst 4500
series switch does not transmit a RADIUS-Account Start Message as it does for standard 802.1X
authentication.
When a client is authenticated, and the port security table is not full, the client's MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging was enabled).
A security violation occurs if an additional host is learned on the port. The action taken depends on
which feature (802.1X or port security) detects the security violation:
If 802.1X detects the violation, the action is to error-disable the port.
–
If port security detects the violation, the action is to shut down or restrict the port (the action is
–
configurable).
The following describes when port security and 802.1X security violations occur:
In single-host mode, after the port is authorized, any MAC address received other than the
–
client's causes a 802.1X security violation.
In single-host mode, if installation of an 802.1X client's MAC address fails because port
–
security has already reached its limit (due to a configured secure MAC addresses), a port
security violation is triggered.
In multiple-host mode, once the port is authorized, any additional MAC addresses that cannot
–
be installed because the port security has reached its limit triggers a port security violation.
When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all
dynamic entries in the secure host table are cleared, including the entry for the client. Normal
authentication then ensues.
If you administratively shut down the port, the port becomes unauthenticated, and all dynamic
entries are removed from the secure host table.
Only 802.1X can remove the client's MAC address from the port security table. Note that in
multiple-host mode, with the exception of the client's MAC address, all MAC addresses that are
learned by port security can be deleted using port security CLIs.
"Resetting the 802.1X Configuration to the
44-92.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
44-19