Cisco Systems 3560 802.1x Host Mode

10-10

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

• auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing

only EAPOL frames to be sent and received through the port. The authentication process begins

when the link state of the port changes from down to up or when an EAPOL-start frame is received.

The switch requests the identity of the client and begins relaying authentication messages between

the client and the authentication server. Each client attempting to access the network is uniquely

identified by the switch by using the client MAC address.

If the client is successfully authenticated (receives an Accept frame from the authentication server), the

port state changes to authorized, and all frames from the authenticated client are allowed through the

port. If the authentication fails, the port remains in the unauthorized state, but authentication can be

retried. If the authentication server cannot be reached, the switch can resend the request. If no response

is received from the server after the specified number of attempts, authentication fails, and network

access is not granted.

When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the

unauthorized state.

If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port

returns to the unauthorized state.

802.1x Host Mode

You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode (see

Figure 10-1 on page 10-2), only one client can be connected to the 802.1x-enabled switch port. The

switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If

a client leaves or is replaced with another client, the switch changes the port link state to down, and the

port returns to the unauthorized state.

In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. Figure 10-5 on

page 10-10 shows 802.1x port-based authentication in a wireless LAN. In this mode, only one of the

attached clients must be authorized for all clients to be granted network access. If the port becomes

unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies

network access to all of the attached clients. In this topology, the wireless access point is responsible for

authenticating the clients attached to it, and it also acts as a client to the switch.

With the multiple-hosts mode enabled, you can use 802.1x authentication to authenticate the port and

port security to manage network access for all MAC addresses, including that of the client.

Figure 10-5 Multiple Host Mode Example

101227

Wireless clients

Access point

Authentication

server

(RADIUS)