Reference Guide
266 Network Security
•
Multiple Host
— Multiple hosts can be attached to a single
802.1x-enabled port. Only the first host must be authorized, and
then the port is wide-open for all who want to access the network.
If the host authentication fails, or an EAPOL-logoff message is
received, all attached clients are denied access to the network.
•
Multiple Session
— A number of specific authorized hosts may
access the port. Each host is treated as if it was the first and only
user and must be authenticated. Filtering is based on the source
MAC address.
–
Action on Single Host Violation
— Select the action to be applied to
packets arriving in Single Session/Single Host mode, from a host
whose MAC address is not the supplicant MAC address. The options
are:
•
Discard
— Discard the packets from any unlearned source.
•
Forward
— Forward the packets from an unknown source,
however, the MAC address is not learned.
•
Shutdown
— Discard the packet from any unlearned source and
shut down the port. Ports remain shutdown until they are
activated, or the switch is reset.
Configuring Host Authentication Using the CLI Commands:
The following table summarizes the CLI commands for configuring host
authentication:
Table 9-14. Host Authentication CLI Commands
CLI Command Description
dot1x host-mode {multi-host |
single-host | multi-sessions}
Allows a single host (client) or multiple
hosts on an IEEE 802.1x-authorized port.
dot1x traps mac-
authentication failure
no dot1x traps mac-
authentication failure
Enables sending traps when a MAC
address is successfully authenticated by
the 802.1X mac-authentication access
control.
Use the no form of this command to
disable the traps.