Cisco Systems 3560-X, 3750-X IEEE 802.1x Authentication with Port Security, IEEE 802.1x Authentication with Wake-on-LAN

11-24

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

IEEE 802.1x Authentication with Port Security

You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode.

(You also must configure port security on the port by using the switchport port-security interface

configuration command.) When you enable port security and IEEE 802.1x authentication on a port, IEEE

802.1x authentication authenticates the port, and port security manages network access for all MAC

addresses, including that of the client. You can then limit the number or group of clients that can access

the network through an IEEE 802.1x port.

These are some examples of the interaction between IEEE 802.1x authentication and port security on the

switch:

• When a client is authenticated, and the port security table is not full, the client MAC address is added

to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry

in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but the port security table is full. This can

happen if the maximum number of secure hosts has been statically configured or if the client ages

out of the secure host table. If the client address is aged, its place in the secure host table can be

taken by another host.

If the security violation is caused by the first authenticated host, the port becomes error-disabled and

immediately shuts down.

The port security violation modes determine the action for security violations. For more

information, see the “Security Violations” section on page 28-10.

• When you manually remove an IEEE 802.1x client address from the port security table by using the

no switchport port-security mac-address mac-address interface configuration command, you

should re-authenticate the IEEE 802.1x client by using the dot1x re-authenticate interface

interface-id privileged EXEC command.

• When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic

entries in the secure host table are cleared, including the entry for the client. Normal authentication

then takes place.

• If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries

are removed from the secure host table.

• Port security and a voice VLAN can be configured simultaneously on an IEEE 802.1x port that is in

either single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier

(VVID) and the port VLAN identifier (PVID).

You can configure the authentication violation or dot1x violation-mode interface configuration com-

mand so that a port shuts down, generates a syslog error, or discards packets from a new device when it

connects to an IEEE 802.1x-enabled port or when the maximum number of allowed devices have been

authenticated. For more information see the “Maximum Number of Allowed Devices Per Port” section

on page 11-38 and the command reference for this release.

For more information about enabling port security on your switch, see the “Configuring Port Security”

section on page 28-8.

IEEE 802.1x Authentication with Wake-on-LAN

The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered

when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature

in environments where administrators need to connect to systems that have been powered down.