40-9
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication
In single-host mode, a security violation is triggered when more than one device are detected on the data
vlan. In multidomain authentication mode, a security violation is triggered when more than one device
are detected on the data or voice VLAN.
Security violation cannot be triggered in multiple-host mode or multiauthentication mode.
When security violation occurs, the port is protected depending on the configured violation action:
Shutdown—Errdisables the port; the default behavior on a port.
Restrict—The port state is unaffected. However the platform is notified to restrict the traffic from
offending MAC-address.
Replace—Replaces existing host with the new host, instead of error-disabling or restricting the port.
For more information see “Configuring Violation Action” section on page 40-54.
Using MAC Move
Hosts should be able to move across ports within a switch on the same or different VLAN without
restriction, as if they had moved to a port on another switch.
Prior to Cisco IOS Release 12.2(54)SG, when a MAC address is authenticated on one switch port, that
address is not allowed on another 802.1X switch port. If the switch detects that same MAC address on
another 802.1X port, the address is not allowed.
Beginning with Cisco IOS Release 12.2(54)SG, you can move a MAC address to another port on the
same switch. it is not pertinent for directly connected hosts or for hosts behind Cisco phones, where a
port-down event or proxy EAPoL-Logoff/CDP TLV is received when the initial host disconnects. It is
pertinent for hosts that disconnect from behind a hub, third party phone, or legacy Cisco phone, causing
the session to remain up. With MAC move you can disconnect the host from such a device and connect
it directly to another port on the same switch.
You can globally enable MAC move so that the device is reauthenticated on the new port. When a host
moves to a second port, the session on the first port is deleted, and the host is reauthenticated on the new
port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch,
for any host mode enabled on that port.)
For more information see “Configuring MAC Move” section on page 40-53.
Using MAC Replace
Beginning with Cisco IOS Release 12.2(54)SG, you can allow new hosts to connect to abandoned ports.
If the configured violation action is replace, the existing host is replaced by the new host, instead of
err-disabling or restricting the port (as happens for single-host and MDA modes).
it is not an issue for directly connected hosts or for hosts behind Cisco phones, where a port-down event
or proxy EAPoL-Logoff/CDP TLV is received when the initial host disconnects. It is an issue where a
host disconnects from behind a hub, third party phone, or legacy Cisco phone, causing the session to
remain up. New hosts connecting to this port violate the host-mode, triggering a violation. When the
violation action is replace, the NAD (switch) terminates the initial session and resets the authentication
sequence based on the new MAC. This applies to single-host and MDA host modes. In multiple- auth
mode, no attempt is made to remove an existing session on the same port.
For more information see the “Configuring MAC Replace” section on page 40-53.