Using Ieee 802.1X With Port Security - Cisco Catalyst 2950 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2950:
- Configuration manual (710 pages) ,
- Command reference manual (686 pages) ,
- Software configuration manual (544 pages)
Table of Contents
Advertisement
Chapter 9
Configuring IEEE 802.1x Port-Based Authentication
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies
network access to all of the attached clients. In this topology, the wireless access point is responsible for
authenticating the clients attached to it, and it also acts as a client to the switch.
With the multiple-hosts mode enabled, you can use IEEE 802.1x to authenticate the port and port
security to manage network access for all MAC addresses, including that of the client.
Figure 9-3
Wireless clients
Using IEEE 802.1x with Port Security
You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode.
(You must also configure port security on the port by using the switchport port-security interface
configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x
authenticates the port, and port security manages network access for all MAC addresses, including that
of the client. You can then limit the number or group of clients that can access the network through an
IEEE 802.1x port.
These are some examples of the interaction between IEEE 802.1x and port security on the switch:
•
•
•
•
78-11380-12
Multiple Host Mode Example
Access point
When a client is authenticated, and the port security table is not full, the client's MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but port security table is full. This can
happen if the maximum number of secure hosts has been statically configured, or if the client ages
out of the secure host table. If the client's address is aged out, its place in the secure host table can
be taken by another host.
The port security violation modes determine the action for security violations. For more
information, see the
"Security Violations" section on page
When an IEEE 802.1x client logs off, the port transitions back to an unauthenticated state, and all
dynamic entries in the secure host table are cleared, including the entry for the client. Normal
authentication then takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an IEEE 802.1x port that is
in either single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier
(VVID) and the port VLAN identifier (PVID).
Understanding IEEE 802.1x Port-Based Authentication
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
Authentication
server
(RADIUS)
21-7.
9-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
