8-41
Configuring Port-Based and Client-Based Access Control (802.1X)
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices
Note on
Blocking a Non-
802.1X Device
If the port’s 802.1X authenticator control mode is configured to authorized (as
shown below, instead of auto), then the first source MAC address from any
device, whether 802.1X-aware or not, becomes the only authorized device on
the port.
aaa port-access authenticator < port-list > control authorized
With 802.1X authentication disabled on a port or set to authorized (Force
Authorize), the port may learn a MAC address that you don’t want authorized.
If this occurs, you can block access by the unauthorized, non-802.1X device
by using one of the following options:
â– If 802.1X authentication is disabled on the port, use these command
syntaxes to enable it and allow only an 802.1X-aware device:
â– If 802.1X authentication is enabled on the port, but set to authorized
(Force Authorized), use this command syntax to allow only an 802.1X-
aware device:
Note If 802.1X port-access is configured on a given port, then port-security learn-
mode for that port must be set to either continuous (the default) or port-access.
In addition to the above, to use port-security on an authenticator port, use the
per-port client-limit option to control how many MAC addresses of 802.1X-
authenticated devices the port is allowed to learn. (Using client-limit sets
802.1X to client-based operation on the specified ports.) When this limit is
reached, no further devices can be authenticated until a currently authenti-
cated device disconnects and the current delay period or logoff period has
expired.
aaa port-access authenticator e < port-list >
Enables 802.1X authentication on the port.
aaa port-access authenticator e < port-list > control auto
Forces the port to accept only a device that supports 802.1X
and supplies valid credentials.
aaa port-access authenticator e < port-list > control auto
Forces the port to accept only a device that supports 802.1X
and supplies valid credentials.
To Next Page
Loading...
Need help?
General