Table of Contents
Advertisement
Understanding How 802.1X Authentication Works
•
•
The guest VLANs are limited to the local switch and are not propagated through VTP.
Note
Understanding How 802.1X Authentication with Port Security Works
802.1X authentication is compatible with the port security feature (for more information, see
Chapter 38,
specific port, only that MAC address authenticates through a RADIUS server. The users that are
connected through all other MAC addresses are denied access. If you enable port security for multiple
MAC addresses, each address needs to authenticate through the 802.1X RADIUS server.
When 802.1X authentication and port security are enabled on any 802.1X port, the 802.1X
Note
authentication takes precedence over the port security on the port. The host is authenticated first and is
then secured by port security.
You can enable port security for any 802.1X mode (single-authentication mode, multiple-host mode, or
multiple-authentication mode). Only one mode can be enabled on a port at a time. The default port mode
is single-authentication mode.
You can disable port security for single-authentication mode and multiple-host mode. You cannot disable
port security for multiple-authentication mode.
When 802.1X authentication is enabled on a port that is also enabled for MAC address-based port
security, 802.1X authentication does not occur on the port unless the maximum allowable number of
MAC addresses has been configured. If you configure fewer addresses than the maximum allowable
number of MAC addresses on a port that is also configured for 802.1X single-host mode authentication,
the system generates a message asking if you want the configured MAC addresses to be removed. If you
answer "yes" to this message, the MAC addresses that you configured for MAC address-based port
security are removed and the port is authenticated using 802.1X authentication. If 802.1X authentication
is enabled for any other mode, no message is created and the MAC addresses are retained.
In the multiple-authentication mode, all connected hosts are authenticated using 802.1X and secured
using port security. 802.1X authenticates the MAC address and then gives the MAC address to port
security to secure it. When a MAC address sends an EAPOL logoff packet, the MAC address is cleared
from the port security tables.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-10
The hosts that respond with an incorrect login/password fail authentication are not put in the guest
VLAN. The first time that a host fails authentication, the quiet-period timer starts and no activity
occurs for the duration of the quiet-period timer. When the quiet-period timer expires, the host is
presented with the login/password window. If the host fails authentication for the second time, the
quiet-period timer starts again and no activity occurs for the duration of the quiet-period timer. The
host is presented with the login/password window a third time. If the host fails the third time, the
port is put in the connecting and unauthorized states. The workaround to this problem is to have the
user unplug and then reconnect the network interface cable.
If a host does not respond to the username and password authentication requests from the
Authenticator PAE, it is placed in a guest VLAN.
"Configuring Port
Security"). If you enable port security for only one MAC address on a
Chapter 40
Configuring 802.1X Authentication
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
