49-9
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
Security violation cannot be triggered in multiple-host mode or multiauthentication mode.
When security violation occurs, the port is protected depending on the configured violation action:
Shutdown—Errdisables the port; the default behavior on a port.
Restrict—The port state is unaffected. However the platform is notified to restrict the traffic from offending MAC-address.
Replace—Replaces existing host with the new host, instead of error-disabling or restricting the port.
For more information see “Configuring Violation Action” section on page 49-56.
Using MAC Move
Hosts should be able to move across ports within a switch on the same or different VLAN without restriction, as if they had
moved to a port on another switch.
Prior to Cisco IOS Release 12.2(54)SG, when a MAC address is authenticated on one switch port, that address is not allowed
on another 802.1X switch port. If the switch detects that same MAC address on another 802.1X port, the address is not allowed.
Beginning with Cisco IOS Release 12.2(54)SG, you can move a MAC address to another port on the same switch. it is not
pertinent for directly connected hosts or for hosts behind Cisco phones, where a port-down event or proxy EAPoL-Logoff/CDP
TLV is received when the initial host disconnects. It is pertinent for hosts that disconnect from behind a hub, third party phone,
or legacy Cisco phone, causing the session to remain up. With MAC move you can disconnect the host from such a device and
connect it directly to another port on the same switch.
You can globally enable MAC move so that the device is reauthenticated on the new port. When a host moves to a second port,
the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, for any host mode
enabled on that port.)
For more information see “Configuring MAC Move” section on page 49-55.
Using MAC Replace
Beginning with Cisco IOS Release 12.2(54)SG, you can allow new hosts to connect to abandoned ports. If the configured
violation action is replace, the existing host is replaced by the new host, instead of err-disabling or restricting the port (as
happens for single-host and MDA modes).
it is not an issue for directly connected hosts or for hosts behind Cisco phones, where a port-down event or proxy
EAPoL-Logoff/CDP TLV is received when the initial host disconnects. It is an issue where a host disconnects from behind a
hub, third party phone, or legacy Cisco phone, causing the session to remain up. New hosts connecting to this port violate the
host-mode, triggering a violation. When the violation action is replace, the NAD (switch) terminates the initial session and
resets the authentication sequence based on the new MAC. This applies to single-host and MDA host modes. In multiple- auth
mode, no attempt is made to remove an existing session on the same port.
For more information see the “Configuring MAC Replace” section on page 49-56.
Using 802.1X with VLAN Assignment
You can use the VLAN assignment to limit network access for certain users. With the VLAN assignment, 802.1X-authenticated
ports are assigned to a VLAN based on the username of the client connected to that port. The RADIUS server database
maintains the username-to-VLAN mappings. After successful 802.1X authentication of the port, the RADIUS server sends the
VLAN assignment to the switch. The VLAN can be a standard VLAN or a PVLAN.
On platforms that support PVLANs, you can isolate hosts by assigning ports into PVLANs.
To Next Page
Loading...
Need help?
General
