12-8
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Per-User ACLs and Filter-Ids
In releases earlier than Cisco IOS Release 12.2(50)SE, an ACL configured on the switch is not
compatible with an ACL configured on another device running Cisco IOS software, such as a
Catalyst 6000 switch.
In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other
devices running Cisco IOS release.
You can only set
any
as the source in the ACL.
Authentication Manager CLI Commands
The authentication-manager interface-configuration commands control all the authentication methods,
such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager
commands determine the priority and order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode,
violation mode, and the authentication timer. Generic authentication commands include the
authentication host-mode
,
authentication violation
, and
authentication timer
interface
configuration commands.
802.1x-specific commands begin with the
dot1x
keyword.
For example, the
authentication
port-control auto
interface configuration command enables authentication on an interface. However,
the
dot1x system-authentication control g
lobal configuration command only globally enables or
disables 802.1x authentication.
Note
If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,
such as web authentication.
The
authentication manager
commands provide the same functionality as earlier 802.1x commands.
Table 12-2
Authentication Manager Commands and Earlier 802.1x Commands
The authentication manager
commands in Cisco IOS
Release 12.2(50)SE or later
The equivalent 802.1x commands in
Cisco IOS Release 12.2(46)SE and
earlier
Description
authentication control-direction
{both
|
in
}
dot1x control-direction
{
both
|
in
}
Enable 802.1x authentication with the
wake-on-LAN (WoL) feature, and configure the
port control as unidirectional or bidirectional.
authentication event
dot1x auth-fail vlan
dot1x critical (interface
configuration)
dot1x guest-vlan6
Enable the restricted VLAN on a port.
Enable the inaccessible-authentication-bypass
feature.
Specify an active VLAN as an 802.1x guest
VLAN.
authentication fallback
fallback-profile
dot1x fallback
fallback-profile
Configure a port to use web authentication as a
fallback method for clients that do not support
802.1x authentication.
authentication host-mode
[
multi-auth
|
multi-domain
|
multi-host
|
single-host
]
dot1x host-mode
{
single-host |
multi-host | multi-domain
}
Allow a single host (client) or multiple hosts on
an 802.1x-authorized port.