Ports In Authorized And Unauthorized States - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Information About 802.1x Port-Based Authentication
The authentication manager
commands in Cisco IOS
Release 12.2(50)SE or later
authentication fallback
fallback-profile
authentication host-mode
[multi-auth | multi-domain |
multi-host | single-host]
authentication order
authentication periodic
authentication port-control
{auto | force-authorized |
force-un authorized}
authentication timer
authentication violation
{protect | restrict | shutdown}
Ports in Authorized and Unauthorized States
During 802.1x authentication, depending on the switch port state, the switch can grant a client access to the
network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice
VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets.
When a client is successfully authenticated, the port changes to the authorized state, allowing all traffic for
the client to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and
802.1x protocol packets before the client is successfully authenticated.
Note
CDP bypass is not supported and may cause a port to go into err-disabled state.
If a client that does not support 802.1x authentication connects to an unauthorized 802.1x port, the switch
requests the client's identity. In this situation, the client does not respond to the request, the port remains in
the unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1x-enabled client connects to a port that is not running the 802.1x standard, the client
initiates the authentication process by sending the EAPOL-start frame. When no response is received, the
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1326
The equivalent 802.1x
commands in Cisco IOS
Release 12.2(46)SE and earlier
dot1x fallback
fallback-profile
dot1x host-mode {single-host
| multi-host | multi-domain}
mab
dot1x reauthentication
dot1x port-control {auto |
force-authorized |
force-unauthorized}
dot1x timeout
dot1x violation-mode
{shutdown | restrict |
protect}
Description
Configure a port to use web authentication
as a fallback method for clients that do not
support 802.1x authentication.
Allow a single host (client) or multiple hosts
on an 802.1x-authorized port.
Provides the flexibility to define the order
of authentication methods to be used.
Enable periodic re-authentication of the
client.
Enable manual control of the authorization
state of the port.
Set the 802.1x timers.
Configure the violation modes that occur
when a new device connects to a port or
when a new device connects to a port after
the maximum number of devices are
connected to that port.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
