User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems WSC3750X48TS

291

292

293

294

295

296

297

298

299

300

11-9

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Per-User ACLs and Filter-Ids

ACLs configured on the switch are compatible with other devices running Cisco IOS releases.

You can only set any as

the source in the ACL.

Note For any ACL configured for multiple-host mode, the source portion of statement must be any. (For

example, permit icmp any host 10.10.1.1.)

Authentication Manager CLI Commands

The authentication-manager interface-configuration commands control all the authentication methods,

such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager

commands determine the priority and order of authentication methods applied to a connected host.

The authentication manager command

s control generic authentication features, such as host-mode,

violation mode, and the authentication timer. Generic authentication commands include the

authentication host-mode, authentication violation, and authentication timer interface

configuration commands.

802.1x-specific commands begin with the dot1x k

eyword. For example, the authentication

port-control auto interface configuration command enables authentication on an interface. However,

the dot1x system-authentication control global configuration command only globally enables or

disables 802.1x authentication.

Note If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,

such as web authentication.

The authentication manager commands provide the same functionality as earlier 802.1x commands.

Ta ble 11-2 Authentication Manager Commands and Earlier 802.1x Commands

The authentication manager

commands in Cisco IOS

Release 12.2(50)SE or later

The equivalent 802.1x commands in

Cisco IOS Release 12.2(46)SE and

earlier Description

authentication control-direction

{bot

h | in}

dot1x control-direction {both |

in}

Enable 802.1x authentication with the

wake-on-LAN (WoL) feature, and configure the

port control as unidirectional or bidirectional.

authentication event dot1x auth-fail vlan

dot1x critical (interface

conf

iguration)

dot1x guest-vlan6

Enable the restricted VLAN on a port.

Enable the inaccessible-authe

ntication-bypass

feature.

Specify an active VLAN as an 802.1x guest

VLAN

authentication fallback

llback-profile

dot1x fallback fallback-profile Configure a port to use web authentication as a

fallback method for clients that do not support

802.1x authentication.

authentication host-mode

[mult

i-auth | multi-domain |

multi-host | single-host]

dot1x host-mode {single-host |

multi-host | multi-domain}

Allow a single host (client) or multiple hosts on

an 802.1x-authorized port.