Cisco Catalyst 4500 series Administration Manual page 1144

About 802.1X Port-Based Authentication
auto—Allows 802.1X authentication and causes the port to begin in the unauthorized state, allowing
•
only EAPOL frames to be sent and received using the port. The authentication process begins when
the link state of the port transitions from down to up or when an EAPOL-start frame is received. The
switch requests the identity of the client and begins relaying authentication messages between the
client and the authentication server. The switch can uniquely identify each client attempting to
access the network by the client's MAC address.
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed using the port.
If authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the
authentication server cannot be reached, the switch can retransmit the request. If no response is received
from the server after the specified number of attempts, authentication fails and network access is not
granted.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received by the
port, the port returns to the unauthorized state.
If Multidomain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see the
"Using Multiple Domain Authentication and Multiple Authentication" section on page
Figure 46-3
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46-6
shows the authentication process.
Chapter 46 Configuring 802.1X Port-Based Authentication
46-24.
OL_28731-01