DescriptionThe equivalent 802.1x
commands in Cisco IOS
Release 12.2(46)SE and earlier
The authentication manager
commands in Cisco IOS
Release 12.2(50)SE or later
Configure a port to use web authentication
as a fallback method for clients that do not
support 802.1x authentication.
dot1x fallback
fallback-profile
authentication fallback
fallback-profile
Allow a single host (client) or multiple hosts
on an 802.1x-authorized port.
dot1x host-mode {single-host
| multi-host | multi-domain}
authentication host-mode
[multi-auth | multi-domain |
multi-host | single-host]
Provides the flexibility to define the order
of authentication methods to be used.
mabauthentication order
Enable periodic re-authentication of the
client.
dot1x reauthenticationauthentication periodic
Enable manual control of the authorization
state of the port.
dot1x port-control {auto |
force-authorized |
force-unauthorized}
authentication port-control
{auto | force-authorized |
force-un authorized}
Set the 802.1x timers.dot1x timeoutauthentication timer
Configure the violation modes that occur
when a new device connects to a port or
when a new device connects to a port after
the maximum number of devices are
connected to that port.
dot1x violation-mode
{shutdown | restrict |
protect}
authentication violation
{protect | restrict | shutdown}
Ports in Authorized and Unauthorized States
During 802.1x authentication, depending on the switch port state, the switch can grant a client access to the
network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice
VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets.
When a client is successfully authenticated, the port changes to the authorized state, allowing all traffic for
the client to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and
802.1x protocol packets before the client is successfully authenticated.
CDP bypass is not supported and may cause a port to go into err-disabled state.Note
If a client that does not support 802.1x authentication connects to an unauthorized 802.1x port, the switch
requests the client’s identity. In this situation, the client does not respond to the request, the port remains in
the unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1x-enabled client connects to a port that is not running the 802.1x standard, the client
initiates the authentication process by sending the EAPOL-start frame. When no response is received, the
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1326
Information About 802.1x Port-Based Authentication
To Next Page
Loading...
Need help?
General
