Ports In Authorized And Unauthorized States - Cisco Catalyst 4500 Series Configuration Manual

Chapter 44 Configuring 802.1X Port-Based Authentication

Ports in Authorized and Unauthorized States

The switch port state determines whether the client is granted access to the network. The port starts in
the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for
802.1X protocol packets. When a client is successfully authenticated, the port transitions to the
authorized state, allowing all traffic for the client to flow normally.
If a non-802.1X capable client is connected to an unauthorized 802.1X port, the switch requests the
client's identity. In this situation, the client does not respond to the request, the port remains in the
unauthorized state, and the client is not granted access to the network. If a guest VLAN is configured on
a port that connects to a client that does not support 802.1X, the port is placed in the configured guest
VLAN and in the authorized state. For more information, see the
section on page
In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol,
the client initiates the authentication process by sending the EAPOL-start frame. When no response is
received, the client sends the request a fixed number of times. Because no response is received, the client
begins sending frames as if the port is in the authorized state.
You can control the port authorization state by using the authentication port-control interface
configuration command (dot1x port-control auto command in Cisco IOS Release 12.2(46)SG and
earlier releases) and these keywords:
•
•
•
If the client is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated client are allowed using the port.
If authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the
authentication server cannot be reached, the switch can retransmit the request. If no response is received
from the server after the specified number of attempts, authentication fails and network access is not
granted.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received by the
port, the port returns to the unauthorized state.
If Multidomain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions
that are applicable to voice authorization. For more information on MDA, see the
"Using Multiple Domain Authentication and Multiple Authentication" section on page
Figure 44-3
OL-25340-01
44-11.
force-authorized—Disables 802.1X authentication and causes the port to transition to the
authorized state without requiring authentication exchange. The port transmits and receives normal
traffic without 802.1X-based authentication of the client. This setting is the default.
force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by
the client to authenticate. The switch cannot provide authentication services to the client using the
interface.
auto—Allows 802.1X authentication and causes the port to begin in the unauthorized state, allowing
only EAPOL frames to be sent and received using the port. The authentication process begins when
the link state of the port transitions from down to up or when an EAPOL-start frame is received. The
switch requests the identity of the client and begins relaying authentication messages between the
client and the authentication server. The switch can uniquely identify each client attempting to
access the network by the client's MAC address.
shows the authentication process.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
"Using 802.1X for Guest VLANs"
44-22.
44-5