Table of Contents
Advertisement
MAC Authentication Bypass Configuration Guidelines and Restrictions
Understanding MAC Authentication Bypass Events
This section describes the following MAC authentication bypass events:
•
•
•
•
•
•
•
•
MAC Authentication Bypass Configuration Guidelines and
Restrictions
This section provides the guidelines and restrictions for configuring MAC authentication bypass:
•
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
41-4
AuthenticateMac—This event is posted by the redirected packet processing component when it sees
a MAC address on the port. This event is posted to the MAC authentication bypass state machine
when it is in the waiting state.
Initialize—This event is triggered by the CLI and can be received in any state. Upon reception of
this event, the port is moved to the waiting state and any required cleanup is performed (such as
unauthorizing the port, cleaning up any static/trap CAM entries, and so on).
Reauthenticate—This event is received because either a session-timeout expired or because of a CLI
trigger (executive command entered from the CLI). This event is accepted only when the port is in
the authenticated state; otherwise, it is ignored. If this event is CLI driven, you are informed that the
CLI can be accepted only if the port is in the authenticated state.
Authentication success—This event is posted when there is an authentication success from the
RADIUS server. This event, which is accepted only when the port is in the authenticating state,
transitions the port to the authenticated state.
Authentication failure—This event is posted when there is an authentication failure received from
the RADIUS server. This event, which is accepted only when the port is in the authenticating state,
transitions the port to the AuthFail state.
RADIUS timeout—This event is received when the RADIUS server is not responding. This event,
which is accepted only when the port is in the authenticating state, transitions the port to the waiting
state after the maximum number of retries expire and the RADIUS server does not respond.
AuthFail timeout—This event is received when the port is in the AuthFail state because of a
RADIUS server authentication failure and there are no other potential features configured to bring
the port up. This event transitions the port to the waiting state, and the port starts the authentication
process again.
Security violation—This event can be received in any state other than the waiting state. This event
is posted if a second MAC address is seen on a port. The action taken for a security violation depends
on the global violation mode configured and can either restrict a MAC address or shut down the port.
Security violations—With MAC authentication bypass, only one host is supported per port. If more
than one host appears on a port, it is a security violation and the port shuts down. With auxiliary
VLAN ports, the one host per-port restriction only applies to hosts on the data VLAN; there is no
restriction on the number of hosts on the auxiliary (voice) VLAN.
Policy enforcement—MAC authentication bypass supports all policy enforcement mechanisms that
are supported with 802.1X.
DHCP snooping—MAC authentication bypass is independent of DHCP snooping. Until a MAC
address successfully authenticates, no traffic is allowed from the MAC address (because of the trap
entry), and the traffic that triggers the MAC authentication could be any type of traffic, including
DHCP.
Chapter 41
Configuring MAC Authentication Bypass
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
