C
HAPTER
4
| Configuring the Switch
Configuring 802.1X Port Authentication
– 85 –
expires, the switch will consider the client alive, and leave it
authenticated. Therefore, an age period of T will require the client to
send frames more frequent than T/2 to stay authenticated.
◆ Hold Time - The time after an EAP Failure indication or RADIUS
timeout that a client is not allowed access. This setting applies to ports
running MAC-based authentication only. (Range: 10-1000000 seconds;
Default: 10 seconds)
If the RADIUS server denies a client access, or a RADIUS server
request times out (according to the timeout specified on the
Authentication menu, page 65), the client is put on hold in the
Unauthorized state. In this state, frames from the client will not cause
the switch to attempt to reauthenticate the client.
Port Configuration
◆ Port – Port identifier. (Range: 1-28)
◆ Admin State - Sets the authentication mode to one of the following
options:
■
Authorized - Forces the port to grant access to all clients, either
dot1x-aware or otherwise. (This is the default setting.)
■
Unauthorized - Forces the port to deny access to all clients, either
dot1x-aware or otherwise.
■
802.1X - Requires a dot1x-aware client to be authorized by the
authentication server. Clients that are not dot1x-aware will be
denied access.
■
MAC-Based - Enables MAC-based authentication on the port. The
switch does not transmit or accept EAPOL frames on the port.
Flooded frames and broadcast traffic will be transmitted on the port,
whether or not clients are authenticated on the port, whereas
unicast traffic from an unsuccessfully authenticated client will be
dropped. Clients that are not (or not yet) successfully authenticated
will not be allowed to transmit frames of any kind.
Port Admin state can only be set to Authorized for ports participating in
the Spanning Tree algorithm (see page 78).
When 802.1X authentication is enabled on a port, the MAC address
learning function for this interface is disabled, and the addresses
dynamically learned on this port are removed from the common
address table.
Authenticated MAC addresses are stored as dynamic entries in the
switch's secure MAC address table. Configured static MAC addresses
are added to the secure address table when seen on a switch port (see
page 99). Static addresses are treated as authenticated without
sending a request to a RADIUS server.
When port status changes to down, all MAC addresses are cleared from
the secure MAC address table. Static VLAN assignments are not
restored.
To Next Page
Loading...
Need help?
General
