Configuring Port-Based and Client-Based Access Control (802.1X)
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
Figure 9-6. Port-Access Support for Port-Security Operation
N o t e
9-44
The first client to authenticate on a port configured to support multiple
■
clients will determine the port's VLAN membership for any subsequent
clients that authenticate while an active session is already in effect.
Option For Authenticator Ports:
Configure Port-Security
To Allow Only 802.1X-Authenticated
Devices
If 802.1X authentication is disabled on a port or set to authorized (Force
Authorize), the port can allow access to a non-authenticated client. Port-
Security operates with 802.1X authentication only if the selected ports are
configured as 802.1X with the control mode in the port-access authenticator
command set to auto (the default setting). For example, if port A10 was at a
non-default 802.1X setting and you wanted to configure it to support the port-
security option, you would use the following aaa port-access command:
Port-Security
If 802.1X port-access is configured on a given port, then port-security learn-
mode for that port must be set to either continuous (the default) or port-access.
In addition to the above, to use port-security on an authenticator port (chapter
10), use the per-port client-limit option to control how many MAC addresses
of 802.1X-authenticated devices the port is allowed to learn. (Using client-limit
sets 802.1X to client-based operation on the specified ports.) When this limit
is reached, no further devices can be authenticated until a currently authen-
ticated device disconnects and the current delay period or logoff period has
expired.
Control mode
required for Port-
Security Support