Using 802.1X With Port Security - Cisco Catalyst 4500 Series Software Configuration Manual

About 802.1X Port-Based Authentication
If you reconfigure the maximum number of authentication failures allowed by the VLAN, the change takes affect after the
•
reauthentication timer expires.
• Internal VLANs that are used for Layer 3 ports cannot be configured as authentication-failed VLANs.
The authentication-failed VLAN is supported only in single-host mode (the default port mode).
•
When a port is placed in an authentication-failed VLAN the user's MAC address is added to the mac-address-table. If a
•
new MAC address appears on the port, it is treated as a security violation.
• When an authentication failed port is moved to an authentication-failed VLAN, the Catalyst 4500 series switch does not
transmit a RADIUS-Account Start Message as it does for standard 802.1X authentication.

Using 802.1X with Port Security

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port
security by using the switchport port-security interface configuration command.) When you enable port security and 802.1X
on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port,
including that of the client. You can use an 802.1X port with port security enabled to limit the number or group of clients that
can access the network.
For information on selecting multiple host mode, see the
on page 49-95.
These examples describe the interaction between 802.1X and port security on a switch:
When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security
•
list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table
(unless port security static aging was enabled).
A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X
or port security) detects the security violation:
If 802.1X detects the violation, the action is to error-disable the port.
–
– If port security detects the violation, the action is to shut down or restrict the port (the action is configurable).
The following describes when port security and 802.1X security violations occur:
In single-host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X
–
security violation.
– In single-host mode, if installation of an 802.1X client's MAC address fails because port security has already reached
its limit (due to a configured secure MAC addresses), a port security violation is triggered.
– In multiple-host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the
port security has reached its limit triggers a port security violation.
When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure
•
host table are cleared, including the entry for the client. Normal authentication then ensues.
If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from
•
the secure host table.
Only 802.1X can remove the client's MAC address from the port security table. Note that in multiple-host mode, with the
•
exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port
security CLIs.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-18
Chapter 49
"Resetting the 802.1X Configuration to the Default Values" section
Configuring 802.1X Port-Based Authentication