8-7
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter8 Configuring IEEE 802 . 1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication
Figure8-3 Multiple Host Mode Example
Using IEEE 802.1x with Port Security
You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode.
(You also must configure port security on the port by using the switchport port-security interface
configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x
authenticates the port, and port security manages network access for all MAC addresses, including that
of the client. You can then limit the number or group of clients that can access the network through an
IEEE 802.1x port.
These are some examples of the interaction between IEEE 802.1x and port security on the switch:
When a client is authenticated, and the port security table is not full, the client MAC address is added
to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but the port security table is full. This can
happen if the maximum number of secure hosts has been statically configured or if the client ages
out of the secure host table. If the client address is aged, its place in the secure host table can be
taken by another host.
If the security violation is caused by the first authent icated host, the port be comes erro r-dis abled and
immediately shuts down.
The port security violation modes determine the action for secu rit y viola tion s. For mo re
information, see the “Security Violations” section on page 21 -9.
When you manually remove an IEEE 802.1x client address from the port securi ty table by using the
no switchport port-security mac-address mac-address interface configuration command, you
should re-authenticate the IEEE 802.1x client by using the dot1x re-authenticate interface
interface-id privileged EXEC command.
When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic
entries in the secure host table are cleared, including the entry for the clien t. No rm al a ut he nti cati on
then takes place.
If the port is administratively shut down, the port becomes unau then tic ate d, and all dynamic entries
are removed from the secure host table.
For more information about enabling port security on your switch, see the “Configuring Port Security”
section on page 21-8.
101227
Wireless clients
Access point
Authentication
server
(RADIUS)