8-8
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
When you manually remove an IEEE 802.1x client address from the port security table by using the
no switchport port-security mac-address mac-address interface configuration command, you
should re-authenticate the IEEE 802.1x client by using the dot1x re-authenticate interface
interface-id privileged EXEC command.
When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic
entries in the secure host table are cleared, including the entry for the client. Normal authentication
then takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
You can configure the dot1x violation-mode interface configuration command so that a port shuts
down, generates a syslog error, or discards packets from a new device when it connects to an
IEEE 802.1x-enabled port or when the maximum number of allowed devices have been
authenticated. For more information see the “Maximum Number of Allowed Devices Per Port”
section on page 8-11 and the command reference for this release.
For more information about enabling port security on your switch, see the “Configuring Port Security”
section on page 22-9.
Using IEEE 802.1x with VLAN Assignment
The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of
the client connected to the switch port. You can use this feature to limit network access for certain users.
When configured on the switch and the RADIUS server, IEEE 802.1x with VLAN assignment has these
characteristics:
If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authorization is disabled, the port
is configured in its access VLAN after successful authentication.
If IEEE 802.1x authorization is enabled but the VLAN information from the RADIUS server is not
valid, the port returns to the unauthorized state and remains in the configured access VLAN. This
prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration
error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, or
a nonexistent or internal (routed port) VLAN ID.
If IEEE 802.1x authorization is enabled and all information from the RADIUS server is valid, the
port is placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an IEEE 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
If IEEE 802.1x and port security are enabled on a port, the port is placed in the RADIUS
server-assigned VLAN.
If IEEE 802.1x is disabled on the port, it is returned to the configured access VLAN.
When the port is in the force authorized, the force unauthorized, the unauthorized, or the shutdown state,
it is put into the configured access VLAN.
If an IEEE 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to
the port access VLAN configuration does not take effect.
The IEEE 802.1x with VLAN assignment feature is not supported on trunk ports or with dynamic-access
port assignment through a VLAN Membership Policy Server (VMPS).