Cisco Systems 3560 MAC Authentication Bypass, Maximum Number of Allowed Devices Per Port

10-33

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

–

If the client is running Windows XP and the port to which the client is connected is in the

critical-authentication state, Windows XP might report that the interface is not authenticated.

–

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,

receiving an EAP-Success message on a critical port might not re-initiate the DHCP

configuration process.

–

You can configure the inaccessible authentication bypass feature and the restricted VLAN on

an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all

the RADIUS servers are unavailable, switch changes the port state to the critical authentication

state and remains in the restricted VLAN.

–

You can configure the inaccessible bypass feature and port security on the same switch port.

• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted

VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk

ports; it is supported only on access ports.

MAC Authentication Bypass

These are the MAC authentication bypass configuration guidelines:

• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x

authentication guidelines. For more information, see the “802.1x Authentication” section on

page 10-31.

• If you disable MAC authentication bypass from a port after the port has been authorized with its

MAC address, the port state is not affected.

• If the port is in the unauthorized state and the client MAC address is not the authentication-server

database, the port remains in the unauthorized state. However, if the client MAC address is added to

the database, the switch can use MAC authentication bypass to re-authorize the port.

• If the port is in the authorized state, the port remains in this state until re-authorization occurs.

• You can configure a timeout period for hosts that are connected by MAC authentication bypass but

are inactive. The range is 1to 65535 seconds. You must enable port security before configuring a

time out value. For more information, see the “Configuring Port Security” section on page 24-8.

Maximum Number of Allowed Devices Per Port

This is the maximum number of devices allowed on an 802.1x-enabled port:

• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with

a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice

VLAN.

• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one

IP phone is allowed for the voice VLAN.

• In multiple-host mode, only one 802.1x supplicant is allowed on the port, but an unlimited number

of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed

on the voice VLAN.