61-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 1 Configuring Identity Policies
802.1x on Cisco IOS Routers
Force authorized—Disables 802.1x authentication, which causes the interface to move to the
authorized state without authenticating the client.
After a client is successfully authenticated, the interface state changes to authorized, which enables all
frames from the client to enter the network. If authentication fails, the interface remains in the
unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the
router can retransmit the request. If the authentication server does not respond after the defined number
of attempts, authentication fails and network access is denied to the client.
When a client logs off, it sends an EAPOL-Logoff message, which causes the interface to return to the
unauthorized state.
Related Topics
Understanding 802.1x Device Roles, page 61-2
Topologies Supported by 802.1x, page61-3
Defining 802.1x Policies, page 61-4
802.1x on Cisco IOS Routers, page 61-1
Topologies Supported by 802.1x
802.1x port-based authentication supports two topologies:
Point-to-point
Wirele ss LAN
In a point-to-point configuration, only one client can be connected to the 802.1x-enabled interface. The
router detects the client when the interface state changes from down to up. If a client leaves the network
or is replaced by another client, the interface state changes from up to down, which returns the interface
to the unauthorized state.
Figure 61-1 802.1x Topology
In a wireless LAN configuration, the 802.1x interface is configured in multihost mode, which is
authorized as soon as one client is authenticated. After the interface is authorized, all other clients
indirectly attached to the interface are granted access to the network. If the port becomes unauthorized
(either because reauthentication fails or an EAPOL-Logoff message is received), the router denies access
to the network to all attached clients. In this topology, the wireless access point is a client to the router
and is responsible for authenticating the clients attached to it.
Workstations
(clients)
Router
Authentication
server
(RADIUS)
144746