199
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to a second
port, the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter which
host mode is enabled on the that port.)
When a MAC address moves from one port to another, the switch terminates the authenticated session on the original
port and initiates a new authentication sequence on the new port.
The MAC move feature applies to both voice and data hosts.
Note: In open authentication mode, a MAC address is immediately moved from the original port to the new port, with no
requirement for authorization on the new port.
For more information see Configuring Optional 802.1x Authentication Features, page 224.
MAC Replace
The MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a
port where another host was previously authenticated.
Note: This feature does not apply to ports in multiauth mode, because violations are not triggered in that mode. It does
not apply to ports in multiple host mode, because in that mode, only the first host requires authentication.
If you configure the authentication violation interface configuration command with the replace keyword, the
authentication process on a port in multidomain mode is:
A new MAC address is received on a port with an existing authenticated MAC address.
The authentication manager replaces the MAC address of the current data host on the port with the new MAC
address.
The authentication manager initiates the authentication process for the new MAC address.
If the authentication manager determines that the new host is a voice host, the original voice host is removed.
If a port is in open authentication mode, any new MAC address is immediately added to the MAC address table.
For more information see Configuring Optional 802.1x Authentication Features, page 224.
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of
network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on
802.1x-enabled ports:
User successfully authenticates.
User logs off.
Link-down occurs.
Reauthentication successfully occurs.
Reauthentication fails.
The switch does not log 802.1x accounting information. Instead, it sends this information to the RADIUS server, which
must be configured to log accounting messages.
To Next Page
Loading...
Need help?
General