802.1X Authentication With Port Security; 802.1X Authentication With Wake-On-Lan; 802.1X Authentication With Mac Authentication Bypass - Cisco Catalyst 2960 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the switch
grants the phones network access without authenticating them. We recommend that you use multidomain
authentication (MDA) on the port to authenticate both a data device and a voice device, such as an IP
phone.
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which
Note
a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see
802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE
802.1x enforces a single MAC address per port (or per VLAN when MDA is configured for IP
telephony), port security is redundant and in some cases may interfere with expected IEEE 802.1x
operations.
802.1x Authentication with Wake-on-LAN
The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered
when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature
in environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the 802.1x port
becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to
unauthorized 802.1x ports, including magic packets. While the port is unauthorized, the switch
continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot
send packets to other devices in the network.
If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Note
When you configure a port as unidirectional by using the authentication control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both
interface configuration command, the port is access-controlled in both directions. The port does not
receive packets from or send packets to the host.
802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see
page
on 802.1x ports connected to devices such as printers.
OL-26520-01
10-4) by using the MAC authentication bypass feature. For example, you can enable this feature
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Understanding IEEE 802.1x Port-Based Authentication
Chapter 15, "Configuring Voice VLAN."
Figure 10-2 on
10-29
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
