12-21
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
A security violation occurs if the client is authenticated, but the port security table is full. This can
happen if the maximum number of secure hosts has been statically configured or if the client ages
out of the secure host table. If the client address is aged, its place in the secure host table can be
taken by another host.
If the security violation is caused by the first authenticated host, the port becomes error-disabled and
immediately shuts down.
The port security violation modes determine the action for security violations. For more
information, see the
“Security Violations” section on page 26-10
.
•
When you manually remove an 802.1x client address from the port security table by using the
no
switchport port-security mac-address
mac-address
interface configuration command, you should
re-authenticate the 802.1x client by using the
dot1x re-authenticate interface
interface-id
privileged EXEC command.
•
When an 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries
in the secure host table are cleared, including the entry for the client. Normal authentication then
takes place.
•
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
•
Port security and a voice VLAN can be configured simultaneously on an 802.1x port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
•
You can configure the
authentication violation
or
dot1x violation-mode
interface configuration
command so that a port shuts down, generates a syslog error, or discards packets from a new device
when it connects to an 802.1x-enabled port or when the maximum number of allowed devices have
been authenticated. For more information see the
“Maximum Number of Allowed Devices Per Port”
section on page 12-30
and the command reference for this release.
For more information about enabling port security on your switch, see the
“Configuring Port Security”
section on page 26-8
.
802.1x Authentication with Wake-on-LAN
The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered
when the switch receives a specific Ethernet frame, known as the
magic packet
. You can use this feature
in environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the 802.1x port
becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to
unauthorized 802.1x ports, including magic packets. While the port is unauthorized, the switch
continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot
send packets to other devices in the network.
Note
If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Содержание IE 3000
Страница 36: ...xxxiv Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Preface ...
Страница 784: ...39 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 39 Troubleshooting Troubleshooting Tables ...
Страница 874: ...Index IN 42 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 ...