13-8
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Note You can only set any as the source in the ACL.
Note For any ACL configured for multiple-host mode, the source portion of state ment must be any. (For
example, permit icmp any host 10.10.1.1.)
You m u st sp ec if y any in the source por ts of any defined ACL. Otherwise, the ACL cannot be applied and
authorization fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA- enabled and multiauth p orts. The ACL policy applied
for one host does not effect the traffic of another host.
If only one host is authenticated on a multihost port, and the other hosts gain network access without
authentication, the ACL policy for the first host can be applied to the other connected hosts by specifying
any in the source address.
Authentication Manager CLI Commands
The authentication-manager interface-configuration commands control all the authentication methods,
such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager
commands determine the priority and order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode,
violation mode, and the authentication timer. Generic authentication commands include the
authentication host-mode, authentication violation, and authentication timer interface
configuration commands.
802.1x-specific commands begin with the dot1x or authentication keyword. For exam ple, the
authentication port-control auto interface configuration command enables authentication on an
interface. However, the dot1x system-authentication control global configuration command only
globally enables or disables 802.1x authentication.
Note If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,
such as web authentication.
You can filter out verbose system messages generated by the authentication manager. The filtered
content typically relates to authentication success. You can also filter verbose messages for 802.1x
authentication and MAB authentication. There is a separate command for each authentication method:
The no authentication logging verbose global configuration command filter s verbose messages
from the authentication manager.
The no dot1x logging verbose global configuration command filters 802.1x authentication verbose
messages.
The no mab logging verbose global configuration command filters MAC authentication bypass
(MAB) verbose messages
For more information, see the command reference for this release.