10-16
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves
to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch,
no matter which host mode is enabled on the that port.)
Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along
with port security.
When a MAC address moves from one port to another, the switch terminates the authenticated session
on the original port and initiates a new authentication sequence on the new port. Port security behavior
remains the same when you configure MAC move.
The MAC move feature applies to both voice and data hosts.
Note In open authentication mode, a MAC address is immediately moved from the original port to the new
port, with no requirement for authorization on the new port.
For more information see the “Enabling MAC Move” section on page 10-51.
MAC Replace
Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address
the violation that occurs when a host attempts to connect to a port where another host was previously
authenticated.
Note This feature does not apply to ports in multi-auth mode, because violations are not triggered in that
mode. It does not apply to ports in multiple host mode, because in that mode, only the first host requires
authentication.
If you configure the authentication violation interface configuration command with the replace
keyword, the authentication process on a port in multi-domain mode is:
A new MAC address is received on a port with an existing authenticated MAC address.
The authentication manager replaces the MAC address of the current data host on the port with the
new MAC address.
The authentication manager initiates the authentication process for the new MAC address.
If the authentication manager determines that the new host is a voice host, the original voice host is
removed.
If a port is in open authentication mode, any new MAC address is immediately added to the MAC address
table.
For more information see the “Enabling MAC Replace” section on page10-52.