X Authentication With Wake-On-Lan - Cisco 3032 Software Configuration Manual

Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
•
•
•
•
You can configure the authentication violation or dot1x violation-mode interface configuration com-
mand so that a port shuts down, generates a syslog error, or discards packets from a new device when it
connects to an IEEE 802.1x-enabled port or when the maximum number of allowed devices have been
authenticated. For more information see the
on page 9-36
For more information about enabling port security on your switch, see the
section on page

802.1x Authentication with Wake-on-LAN

The 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when
the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in
environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the IEEE 802.1x
port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to
block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to
other devices in the network.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as unidirectional by using the dot1x control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the dot1x control-direction both interface
configuration command, the port is access-controlled in both directions. The port does not receive
packets from or send packets to the host.
OL-12247-04
The port security violation modes determine the action for security violations. For more
information, see the "Security Violations" section on page
When you manually remove an 802.1x client address from the port security table by using the no
switchport port-security mac-address mac-address interface configuration command, you should
re-authenticate the 802.1x client by using the dot1x re-authenticate interface interface-id
privileged EXEC command.
When an 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries
in the secure host table are cleared, including the entry for the client. Normal authentication then
takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an 802.1x port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
and the command reference for this release.
26-8.
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
Understanding IEEE 802.1x Port-Based Authentication
26-10.
"Maximum Number of Allowed Devices Per Port" section
"Configuring Port Security"
9-25