40-25
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Configuring 802.1X Authentication on the Switch
This example shows how to remove the port from the guest VLAN:
Console> (enable)
set port dot1x 3/1 guest-vlan none
Port 3/1 Guest Vlan is cleared
Console> (enable)
Configuring an 802.1X Unidirectional Controlled Port
802.1X allows you to use wake-on LAN technology (also referred to as remote wake-up) to perform the
unattended system backups or software upgrades on the hosts that are attached to the switch.
When you configure a unidirectional controlled port, the port allows outbound-only traffic prior to host
authentication. This behavior enables a management station to send the wake-on LAN frames to selected
hosts that trigger the host to power up and boot, authenticate, and then perform the unattended operation.
Note
The wake-on LAN technology requires specific hardware for the host that is outside the scope of this
publication.
Prior to software release 8.3(1), the 802.1X bridge ports were configured by default to a bidirectional
state where the control was exerted on protocol exchanges in both directions on the unauthorized ports.
With the unidirectional controlled port feature, you can configure the 802.1X-capable ports to be in
unidirectional (
in
keyword) or bidirectional (
both
keyword) states using the
set port dot1x
mod/port
port-control-direction
command.
Unidirectional State
When you configure a port as a unidirectional port (
in
keyword) and set the port to
auto
using the
set
port dot1x
mod/port
port-control auto
command, the bridge port is moved into the spanning-tree
forwarding state where all the traffic to the port is redirected to the supervisor engine for processing.
With the wake-on LAN functionality, when the connected host is in sleeping mode or a power-down
state, the host does not exchange the traffic with any other devices in the network. The hosts that are
connected to the unidirectional port cannot send the traffic out into the network; they can only receive
the traffic from the other devices in the network. If the unidirectional port sees any kind of incoming
traffic, the port returns to the bidirectional (default) state and the spanning-tree state is moved to the
blocking state where both the incoming and outgoing traffic are dropped. The authenticator system on
the port moves the port into the initialize state and no traffic is allowed other than the EAPOL packet
exchanges. When the port is returned to the bidirectional state, a 5-minute timer is started and if the port
is not authenticated before the timer runs out, the port switches back to a unidirectional port.
Bidirectional State
When you configure a port as a bidirectional port (
both
keyword) and set the port to
auto
using the
set
port dot1x
mod/port
port-control auto
command, the port is access controlled in both directions. This
state disables the reception of any incoming packets and the transmission of outgoing packets on the
port. When the port is configured as a bidirectional port, it behaves as it did in software releases prior to
release 8.3(1); the port is in the spanning-tree blocking state and the normal authentication process is
followed.