Table of Contents
Advertisement
Understanding How 802.1x Authentication Works
Ports in Authorized and Unauthorized States
The switch port state determines if the host is granted access to the network. The port starts in the
unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1x
protocol packets. When a host is successfully authenticated, the port transitions to the authorized state,
allowing all traffic for the host to flow normally.
If a host that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests
the host's identity. If the host does not respond to the request, the port remains in the unauthorized state,
and the host is not granted access to the network.
When an 802.1x-enabled host connects to a port that is not running the 802.1x protocol, the host initiates
the authentication process by sending the EAPOL-start frame. When no response is received, the host
sends the request a fixed number of times. If no response is received, the host begins sending frames as
if the port is in the authorized state.
You control the port authorization state by using the set port dot1x mod/port port-control command
and these keywords:
•
•
•
If the host is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated host are allowed through the port.
If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the switch cannot reach the authentication server, it can retransmit the request. If no response is
received from the server after the specified number of attempts, authentication fails, and network access
is not granted.
When a host logs off, the server sends an EAPOL-logoff message, causing the switch port to transition
to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.
Table 31-1
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
31-4
force-authorized—Disables 802.1x authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives
normal traffic without 802.1x-based authentication of the host. This is the default setting.
force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by
the host to authenticate. The switch cannot provide authentication services to the host through the
interface.
auto—Enables 802.1x authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process
begins when the link state of the port transitions from down to up or when an EAPOL-start frame is
received. The switch requests the identity of the host and begins relaying authentication messages
between the host and the authentication server. Each host attempting to access the network is
uniquely identified by the switch by using the host's MAC address.
defines the terms that are used in 802.1x.
Chapter 31
Configuring 802.1x Authentication
78-15908-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
