Security: 802.1X Authentication
Authenticator Overview
384 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
19
• force-unauthorized
Port authentication is disabled and the port transmits all traffic via the guest
VLAN and unauthenticated VLANs. For more information see Defining Host
and Session Authentication. The switch sends 802.1x EAP packets with
EAP failure messages inside when it receives 802.1x EAPOL-Start
messages.
• auto
Enables 802.1 x authentications in accordance with the configured port host
mode and authentication methods configured on the port.
Port Host Modes
Ports can be placed in the following port host modes (configured in the Security >
802.1X/MAC/Web Authentication > Host and Authentication page):
• Single-Host Mode
A port is authorized if there is an authorized client. Only one host can be
authorized on a port.
When a port is unauthorized and the guest VLAN is enabled, untagged
traffic is remapped to the guest VLAN. Tagged traffic is dropped unless it
belongs to the guest VLAN or to an unauthenticated VLAN. If a guest VLAN
is not enabled on the port, only tagged traffic belonging to the
unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from the authorized
host is bridged based on the static VLAN membership port configuration.
Traffic from other hosts is dropped.
A user can specify that untagged traffic from the authorized host will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. Tagged traffic is dropped unless it belongs to the
RADIUS-assigned VLAN or the unauthenticated VLANs. Radius VLAN
assignment on a port is set in the Security > 802.1X/MAC/Web
Authentication > Port Authentication page.
• Multi-Host Mode
A port is authorized if there is if there is at least one authorized client.
To Next Page
Loading...
