Using 802.1X With Unidirectional Controlled Port - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication

Using 802.1X with Unidirectional Controlled Port

Unidirectional Controlled Port is a combined hardware and software feature that allows dormant PCs to be powered on based
on the receipt of a specific Ethernet frame, known as the magic packet. Generally, Unidirectional Controlled Port is used in
environments where administrators plan to manage remote systems during off-hours, when the systems usually have been
powered down.
Use of Unidirectional Controlled Port with hosts attached through 802.1X ports presents a unique problem: when the host
powers down, a 802.1X port becomes unauthorized. In this state, the port allows the receipt and transmission of EAPoL packets
only. The Unidirectional Controlled Port magic packet cannot reach the host; without powering up, the PC cannot authenticate
and open the port.
Unidirectional Controlled Port solves this problem by allowing packets to be transmitted on unauthorized 802.1X ports.
Unidirectional Controlled Port only works when Spanning Tree PortFast is enabled on the port.
Note
For details on how to configure 802.1X with Unidirectional Controlled Port, see the "Configuring 802.1X with Unidirectional
Controlled Port" section on page 49-66.
Unidirectional State
A unidirectional controlled port is typically configured when a connected host might enter a sleeping mode or power-down
state. When either occurs, the host does not exchange traffic with other devices in the network. A host connected to the
unidirectional port cannot send traffic to the network; it can only receive traffic from other devices in the network.
When you configure a port as unidirectional (with the authentication control-direction in interface configuration command),
the port will receive traffic in VLANs on that port, but it is not put into a spanning-tree forwarding state. If a VLAN contains
only unauthenticated ports, any SVI on that VLAN will be in a down state, during which packets will not be routed into the
VLAN. For the SVI to be up, and so enable packets to be routed into the VLAN, at least one port in the VLAN must either be
authenticated or in the spanning-tree forwarding state.
Bidirectional State
When you configure a port as bidirectional by using the authentication control-direction both interface configuration
command (or the dot1x control-direction both interface configuration command for Cisco IOS Release 12.2(46) or earlier),
the port is access-controlled in both directions. In this state, except for EAPOL packets, a switch port does not receive or send
packets.
Using 802.1X with VLAN User Distribution
An alternative to dynamically assigning a VLAN ID or a VLAN name is to assign a VLAN group name. The 802.1X VLAN
User Distribution feature allows you to distribute users belonging to the same group (and characterized by a common VLAN
group name) across multiple VLANs. You usually do this to avoid creating an overly large broadcast domain.
For example, with this feature, you can download a common VLAN group name (similar to ENG-Group, for all the users
belonging to the engineering organization) from the authentication server to all the access-layer switches. The VLAN group
name is then individually mapped to a different VLAN on each access-layer switch. The same VLAN number need not be
spanned across separate switches. Similarly, the VLANs does not need to be renamed at the edge devices.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-15