Cisco Systems DOC-7814982 Ports in Authorized and Unauthorized States

8-4

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 8 Configuring 802.1X Port-Based Authentication

Unders tanding 802.1X Port-Based Authentication

Ports in Authorized and Unauthorized States

The switc h port state determi nes whet her or not the client is gran ted acces s to the net work. The por t

starts in the unauthorized state. While in this state, the port disallo ws all ingress and e gress traff ic except

for 802.1X protocol packets. When a client is successfully authenticated, the port transitions to the

authorized state, allowing all traffic for the client to flow normally.

If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests

the client’s iden tity. In this situat ion, th e client does not respond to the re quest , the port re mains in the

unauth orized sta te, and the cl ient is no t gran ted acc ess t o t he ne twork .

In cont rast , w he n an 80 2.1 X -ena bled c lient co nne cts to a por t t hat is n ot runn i ng t he 80 2.1X pr otoc ol,

the client initiates the authentication process by sending the EAPOL-start frame. When no response is

received, t he cl ie nt sen d s th e re que st for a fixed n umb er o f t im es . B ec au se no re sp o nse is re ce ived, th e

client begins sending frames as if the port is in the authorized state.

You co ntrol the po rt autho rizat ion state by using the dot 1x port-cont rol interfa ce c on figurat ion

comm and a nd the se keywords:

•force-authorized—disabl es 802.1X authentica tion and ca uses the por t to transit ion to the

authorized state without any authentication exchange required. The port sends and receives normal

traffic without 802.1X-based authentication of the client. This is the default setting.

•force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by

the clie nt to authentica te. The switch can not provide au thentication ser vices to the cl ient through the

interface.

•auto—en ables 802 .1X auth entic ation and causes the p ort to begin in the una uthori zed stat e,

allowing only EAPOL frame s to be sen t and received throug h the port . The au thent icatio n process

begins when the link state of the port transitions from down to up or when an EAPOL-start frame is

received. The switch requests the identity of the client and begins relaying authentication messages

between the client and the authentication server. Each client attempting to access the network is

uniquely identified by the switch by using the client’s MAC address.

If the clien t is suc ces sf u lly authe nti cated (rece iv es an Acc ep t fr am e fr o m the au th en tic atio n se rver), th e

port state changes to authorized, and all frames from the authenticated client are allowed through the

port. If the authentication fails, the port remains in the unauthorized state, but authentication can be

retried. If the authentication server cannot be reached, the switch can resend the request. If no response

is received from the server after the specified number of attempts, authentication fails, and network

access is not granted.

When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the

unauthorized state.

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port

returns to the unauthorized state.