Configuring Port-Based and User-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

For information on how to configure the prerequisites for using the aaa port- access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.

Syntax: aaa port-access <port-list> controlled-directions <both in>

both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs.

in: Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.

 

Wake-on-LAN Traffic

 

The Wake-on-LAN feature is used by network administrators to remotely

 

power on a sleeping workstation (for example, during early morning hours to

 

perform routine maintenance operations, such as patch management and

 

software updates).

 

The aaa port-access controlled-direction in command allows Wake-on-LAN

 

traffic to be transmitted on an 802.1X-aware egress port that has not yet

 

transitioned to the 802.1X authenticated state; the controlled-direction both

 

setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware

 

egress port until authentication occurs.

 

 

N o t e

Although the controlled-direction in setting allows Wake-on-LAN traffic to

 

traverse the switch through unauthenticated 802.1X-aware egress ports, it

 

does not guarantee that the Wake-on-LAN packets will arrive at their destina-

 

tion. For example, firewall rules on other network devices and VLAN rules

 

may prevent these packets from traversing the network.

 

 

Operating Notes

Using the aaa port-access controlled-directions in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:

802.1X authentication

MAC authentication

Web authentication

10-27