13-24
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the sw itch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the sw itch drops packets
from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equa l to a
voice VLAN.
Note If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which
a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see Chapter 19, “Configuring Voice VLAN.
802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security w hen IEEE 802.1x is enabled. Since IEEE
802.1x enforces a single MAC address per port (or per VLAN when MDA is configure d for IP
telephony), port security is redundant and in some cases may interfere with expected IEEE 802.1x
operations.
802.1x Authentication with Wake-on-LAN
The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered
when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature
in environments where administrators need to connect to systems t hat have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the 802.1x po rt
becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to
unauthorized 802.1x ports, including magic packets. While the port is unauthorized, the switch
continues to block ingress traffic other than EAPOL packets. The host can r eceive packets but cannot
send packets to other devices in the network.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as unidirectional by using the authenti cation control-direction in interface
configuration command, the port changes to the spanning-tr ee forwarding state. The port can send
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both
interface configuration command, the port is access-controlled in bot h directions. The port does not
receive packets from or send packets to the host.