10-28
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Note If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which
a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see Chapter15, “Configuring Voice VLAN.”
802.1x Authentication with Port Security
You can configure an 802.1x port with port security in either single-host or multiple-hosts mode. (You
also must configure port security on the port by using the switchport port-security interface
configuration command.) When you enable port security and 802.1x authentication on a port,802.1x
authentication authenticates the port, and port security manages network access for all MAC addresses,
including that of the client. You can then limit the number or group of clients that can access the network
through an 802.1x port.
These are some examples of the interaction between 802.1x authentication and port security on the
switch:
When a client is authenticated, and the port security table is not full, the client MAC address is added
to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but the port security table is full. This can
happen if the maximum number of secure hosts has been statically configured or if the client ages
out of the secure host table. If the client address is aged, its place in the secure host table can be
taken by another host.
If the security violation is caused by the first authenticated host, the port becomes error-disabled and
immediately shuts down.
The port security violation modes determine the action for security violations. For more
information, see the “Security Violations” section on page25-11.
When you manually remove an 802.1x client address from the port security table by using the no
switchport port-security mac-address mac-address interface configuration command, you should
re-authenticate the 802.1x client by using the dot1x re-authenticate interface interface-id
privileged EXEC command.
When an 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries
in the secure host table are cleared, including the entry for the client. Normal authentication then
takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an 802.1x port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
You can configure the authentication violation or dot1x violation-mode interface configuration
command so that a port shuts down, generates a syslog error, or discards packets from a new device
when it connects to an 802.1x-enabled port or when the maximum number of allowed devices have
been authenticated. For more information see the “Maximum Number of Allowed Devices Per Port”
section on page 10-40 and the command reference for this release.