User's Manual
11-25
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the
IEEE 802.1x port becomes unauthorized. The port can only rece
ive and send EAPOL packets, and WoL
magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch
port is not opened.
When the switch uses IEEE 802.1x authentication with W
oL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the por
t is unauthorized, the switch continues to
block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to
other devices in the network.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as u
nidirectional by using the dot1x control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send
packets to the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the dot1x contr
ol-direction both interface
configuration command, the port is access-controlled in both directions. The port does not receive
packets from or send packets to the host.
IEEE 802.1x Authentication with MAC Authentication Bypass
You can configure the switch to authorize clients based on the client MAC address (see Figure 11-2 on
page 11-5) by using the MAC authentica
tion bypass feature. For example, you can enable this feature on
IEEE 802.1x ports connected to devices such as printers.
If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch
t
ries to authorize the client by using MAC authentication bypass.
When the MAC authentication bypass feature is enabled
on an IEEE 802.1x port, the switch uses the
MAC address as the client identity. The authentication server has a database of client MAC addresses
that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an
Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request
frame with a username and password based on the MAC address. If authorization succeeds, the switch
grants the client access to the network. If authorization fails, the switch assigns the port to the guest
VLAN if one is configured.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines
that the de
vice connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x
authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if
the interface link status goes down.
If the switch already author
ized a port by using MAC authentication bypass and detects an IEEE 802.1x
supplicant, the switch does not unauthorize the client connected to the port. When re-authentication
occurs, the switch uses IEEE 802.1x authentication as the preferred re-authentication process if the
previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authen
tication bypass can be re-authenticated. The
re-authentication process is the same as that for clients that were authenticated with IEEE 802.1x.
During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is
successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the
port to the guest VLAN, if one is configured.