Table of Contents
Advertisement
34.
successfully authenticated, the port transitions to the authorized state, allowing all traffic for
the supplicant to flow normally.
If a supplicant that does not support 802.1X is connected to an unauthorized 802.1X port, the
switch requests the supplicant's identity. In this situation, the supplicant does not respond to
the request, the port remains in the unauthorized state, and the supplicant is not granted access
to the network.
In contrast, when an 802.1X-enabled supplicant connects to a port that is not running the
802.1X protocol, the supplicant initiates the authentication process by sending the EAPOL-
start frame. When no response is received, the supplicant sends the request for a fixed number
of times. Because no response is received, the supplicant begins sending frames as if the port
is in the authorized state.
The port authorization state is controlled by specifying one of the following control types in
the dot1x port-control command:
•
force-authorized - disables 802.1X authentication and causes the port to transition to
the authorized state without requiring any authentication exchange. The port transmits
and receives normal traffic without 802.1X-based supplicant authentication. This is
the default setting.
•
force-unauthorized - causes the port to remain in the unauthorized state, ignoring all
attempts by the supplicant to authenticate. The switch cannot provide authentication
services to the supplicant through the interface.
•
auto - enables 802.1X authentication and causes the port to begin in the unauthorized
state, allowing only EAPOL frames to be sent and received through the port. The
authentication process begins when the link state of the port transitions from down to
up or when an EAPOL-start frame is received. The switch requests the identity of the
supplicant and begins relaying authentication messages between the supplicant and
the authentication server. The switch uniquely identifies each supplicant attempting to
access the network by the supplicant's MAC address.
If the supplicant is successfully authenticated (receives an Accept frame from the
authentication server), the port state changes to authorized, and all frames from the
authenticated supplicant are allowed through the port. If the authentication fails, the port
remains in the unauthorized state, but authentication can be retried. If the authentication
server cannot be reached, the switch can retransmit the request. If no response is received
from the server after the specified number of attempts, authentication fails, and network
access is not granted.
When a supplicant logs off, it sends an EAPOL-logoff message, causing the switch port to
transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is
received, the port returns to the unauthorized state.
Supported Standards, MIBs and RFCs
Standards
IEEE 802.1X, Standard for Local and metropolitan area networks - Port-Based Network
Access Control
MN700004 Rev 01
802.1X Port-Based Authentication
363
- Quick Links:
- User Guide
- Overview
Hide quick links:
Advertisement
Table of Contents
