Using 802.1X With Unidirectional Controlled Port - Cisco Catalyst 4500 series Administration Manual

About 802.1X Port-Based Authentication
Inaccessible Authentication Bypass allows a voice client to access configured voice VLAN when
Note
RADIUS becomes unavailable. For the voice device to operate properly, it must learn the voice VLAN
ID through other protocols such as CDP, LLDP, or DHCP, wherever appropriate. When a RADIUS server
is unavailable, it may not be possible for a switch to recognize a MAC address as that of a voice device.
Therefore, when Inaccessible Authentication Bypass is configured for voice devices, it should also be
configured for data. Voice devices may be authorized on both critical data and voice VLANs. If port
security is enabled, this may affect the maximum port security entries enforced on the port.
By default, data clients that were already authorized when RADIUS becomes unavailable are unaffected
by Inaccessible Authentication Bypass. To reauthenticate all authorized data clients on the port when
RADIUS becomes unavailable, use the authentication server dead action reinitialize vlan interface
configuration command. This command is intended for multiauthentication mode and is mutually
exclusive with the authentication server dead action authorize vlan command.
In multiauthentication mode, you cannot use the authentication server dead action authorize vlan
Note
command to enable Inaccessible Authentication Bypass for data clients; it has no effect. Instead, use the
authentication server dead action reinitialize vlan vlan-id command.
When RADIUS becomes available, critically authorized ports can be configured to automatically
reauthenticate themselves.
To properly detect RADIUS server availability, the test username name option should be enabled in the
Note
radius-server host command. For details on how to configure RADIUS server, see the
Switch-to-RADIUS-Server Communication" section on page
Inaccessible Authentication Bypass cannot activate after a port falls back to Web-based authentication.
For details on how to configure Web-based authentication, see
Authentication."
For details on how to configure Inaccessible Authentication Bypass, see
Web-Based

Using 802.1X with Unidirectional Controlled Port

Unidirectional Controlled Port is a combined hardware and software feature that allows dormant PCs to
be powered on based on the receipt of a specific Ethernet frame, known as the magic packet. Generally,
Unidirectional Controlled Port is used in environments where administrators plan to manage remote
systems during off-hours, when the systems usually have been powered down.
Use of Unidirectional Controlled Port with hosts attached through 802.1X ports presents a unique
problem: when the host powers down, a 802.1X port becomes unauthorized. In this state, the port allows
the receipt and transmission of EAPoL packets only. The Unidirectional Controlled Port magic packet
cannot reach the host; without powering up, the PC cannot authenticate and open the port.
Unidirectional Controlled Port solves this problem by allowing packets to be transmitted on
unauthorized 802.1X ports.
Unidirectional Controlled Port only works when Spanning Tree PortFast is enabled on the port.
Note
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46-16
Authentication".
Chapter 46 Configuring 802.1X Port-Based Authentication
46-35.
Chapter 48, "Configuring Web-Based
Chapter 48, "Configuring
"Configuring
OL_28731-01