User Distribution; X Authentication With Wake-On-Lan; Authentication With Port Security - Cisco WS-CBS3032-DEL Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which
Note
a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see
802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE
802.1x enforces a single MAC address per port (or per VLAN when MDA is configured for IP
telephony), port security is redundant and in some cases may interfere with expected IEEE 802.1x
operations.

802.1x Authentication with Wake-on-LAN

The 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when
the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in
environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the IEEE 802.1x
port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to
block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to
other devices in the network.
If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Note
When you configure a port as unidirectional by using the authentication control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both
interface configuration command, the port is access-controlled in both directions. The port does not
receive packets from or send packets to the host.
802.1x User Distribution
You can configure 802.1x user distribution to load-balance users with the same group name across
multiple different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a
VLAN group name.
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
9-26
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Chapter 15, "Configuring Voice VLAN."
OL-13270-06