40-5
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Understanding How 802.1X Authentication Works
You control the port authorization state by using the set port dot1x mod/port port-control command
and these keywords:
• force-authorized—Disables 802.1X authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives
normal traffic without 802.1X-based authentication of the host. This setting is the default.
• force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by
the host to authenticate. The switch cannot provide authentication services to the host through the
interface.
• auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state,
allowing only the EAPOL frames to be sent and received through the port. The authentication
process begins when the link state of the port transitions from down to up or when an EAPOL-start
frame is received. The switch requests the identity of the host and begins relaying the authentication
messages between the host and the authentication server. Each host attempting to access the network
is uniquely identified by the switch by using the host’s MAC address.
If the host is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated host are allowed through the port.
If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the switch cannot reach the authentication server, it can retransmit the request. If no response is
received from the server after the specified number of attempts, authentication fails, and network access
is not granted.
When a host logs off, the server sends an EAPOL-logoff message, causing the switch port to transition
to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port
returns to the unauthorized state.
Table 40-1 defines the 802.1X terms.
Table 40-1 802.1X Terminology
Term Definition
Authenticator PAE
1
(Referred to as the “authenticator”) entity at one end of a
point-to-point LAN segment that enforces host authentication. The
authenticator is independent of the actual authentication method and
functions only as a pass-through for the authentication exchange. It
communicates with the host, submits the information from the host to
the authentication server, and authorizes the host when instructed to
do so by the authentication server.
Authentication server Entity that provides the authentication service for the authenticator
PAE. It checks the credentials of the host PAE and then notifies its
client, the authenticator PAE, whether the host PAE is authorized to
access the LAN/switch services.
Authorized state Status of the port after the host PAE is authorized.
Both Bidirectional flow control, incoming and outgoing, at an
unauthorized switch port.
Controlled port Secured access point.
EAP Extensible Authentication Protocol.
EAPOL
2
Encapsulated EAP messages that can be handled directly by a LAN
MAC service.
To Next Page
Loading...
Need help?
General