29-9
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
These examples describe the interaction between 802.1X and por t security on the switch:
When a client is authenticated, and the port security table is not full, the client’s MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if an additional host is learned on the p ort. The action taken depends on
which feature (802.1X or port security) detects the security violation:
If 802.1X detects the violation, the action is to err-disab le the port.
If port security detects the violation, the action is to shutdown or restri ct the port (the action is
configurable).
The following describes when port security and 802.1X security violations occur:
In single host mode, after the port is authorized, any MAC address received other than the
client’s will cause a 802.1X security violation.
In single host mode, if installation of an 802.1X client’s MAC address fails because port
security has already reached its limit (due to a configured secure MAC addresses), a port
security violation is triggered.
In multi host mode, once the port is authorized, any addi tional MAC addresses that cannot be
installed because the port security has reached its limit will trigger a port security violation.
When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all
dynamic entries in the secure host table are cleared, including the entry for the client. Normal
authentication then ensues.
If you administratively shut down the port, the port becomes unauthenticated, and all dynamic
entries are removed from the secure host table.
Only 802.1X can remove the client’s MAC address from the port security table. Note that in multi
host mode, with the exception of the client’s MAC address, all MAC addresses that are learned by
port security can be deleted using port security CLIs.
Whenever port security ages out a 802.1X client’s MAC address, 802.1X attempts to reauthenticate
the client. Only if the reauthentication succeeds will the client’s MAC address be retained in the port
security table.
All of the 802.1X client’s MAC addresses are tagged with (dot1x) when you display the port security
table by using CLI.
Using 802.1X with RADIUS-Provided Session Timeouts
802.1X enables the user to specify whether the switch uses a locally configured reauthentication timeout
or a RADIUS-provided reauthentication timeout. If the switch is configured to use the local
reauthentication timeout, it reauthenticates the host when the timer expires.
If the switch is configured to use the RADIUS-provided timeout, it looks in the RADIUS Access-Accept
message for the Session-Timeout and optional Termination-Action attributes. The value of the
Session-Timeout attribute is used to determine the duration of the session, and the value of the
Termination-Action attribute is used to determine the switch action when the session's timer expires.
If the Termination-Action attribute is present and its value is RADIUS-Request, the switch
reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the
switch terminates the session.