49-57
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
This example shows how to configure the violation mode shutdown on a switch:
Switch# configure terminal
Switch(config)# authentication violation shutdown
A port is error-disabled when a security violation triggers on shutdown mode. The following syslog messages displays:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface <interface name>, new MAC address
<mac-address> is seen.
%PM-4-ERR_DISABLE: security-violation error detected on <interface name>, putting <interface name> in
err-disable state
Configuring 802.1X with Guest VLANs
You can configure a guest VLAN for each 802.1X port on the Catalyst 4500 series switch to provide limited services to clients,
such as downloading the 802.1X client. These clients might be upgrading their system for 802.1X authentication, and some
hosts, such as Windows 98 systems, might not be 802.1X-capable.
When you enable a guest VLAN on an 802.1X port, the Catalyst 4500 series switch assigns clients to a guest VLAN, provided
one of the following apply:
• The authentication server does not receive a response to its EAPOL request or identity frame.
• The EAPOL packets are not sent by the client.
Beginning with Cisco IOS Release 12.2(25)EWA, the Catalyst 4500 series switch maintains the EAPOL packet history. If
another EAPOL packet is detected on the interface during the lifetime of the link, network access is denied. The EAPOL history
is reset upon loss of the link.
Any number of 802.1X-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an
802.1X-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state
in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.
Note When a port is put into a guest VLAN, it is automatically placed into multihost mode, and an unlimited
number of hosts can connect using the port. Changing the multihost configuration does not effect a port
in a guest VLAN.
Step 3
Switch(config-if)# authentication
violation [restrict |
shutdown | replace]
(Optional) Configures the disposition of the port if a security violation
occurs.
The default action is to shut down the port. If the restrict keyword is
configured, the port does not shut down.
When a new host is seen in single or multiple- domain modes, replace
mode tears down the old session and authenticates the new host.
Step 4
Switch(config-if)# end
Returns to privileged EXEC mode.
Step 5
Switch# show run
Verifies your entries.
Step 6
Switch # copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
