9-18
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic
entries in the secure host table are cleared, including the entry for the clien t . Norm al authentication
then takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured sim ult aneou sly on an I EEE 802.1 x po rt th at is in
either single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier
(VVID) and the port VLAN identifier (PVID).
For more information about enabling port security on your switch, see the “Configuring Port Security”
section on page 25-7.
Using IEEE 802.1x Authentication with Wake-on-LAN
The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered
when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature
in environments where administrators need to connect to systems t hat have been p owered d own.
When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the
IEEE 802.1x port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL
magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch
port is not opened.
When the switch uses IEEE 802.1x authentication with WoL, th e switch fo rwards t raff i c to unautho rized
IEEE 802.1x ports, including magic packets. While the port is unauthorize d, t he sw itc h con tin ues to
block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to
other devices in the network.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as unidirectional by using the dot1x control-direction in interface
configuration command, the port changes to the spanning-tr ee for wardi ng st ate . T he po rt c an se nd
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the dot1x control-direction both interface
configuration command, the port is access-controlled in both dir ecti ons. T he po rt doe s n ot r ece ive
packets from or send packets to the host.
Using IEEE 802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see Figure 9-2 on
page 9-4) by using the MAC authentication bypass feature. For example, you can en ab le this feature on
IEEE 802.1x ports connected to devices such as printers.
If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch
tries to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the
MAC address as the client identity. The authentication server has a database of client MAC addresses
that are allowed network access. After detecting a client on an IEEE 80 2.1x p ort, th e swit ch w aits fo r an
Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request