Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
You can only set any as the source in the ACL.
Note
For any ACL configured for multiple-host mode, the source portion of statement must be any. (For
Note
example, permit icmp any host 10.10.1.1.)
You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and
authorization fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA-enabled and multiauth ports. The ACL policy applied
for one host does not effect the traffic of another host.
If only one host is authenticated on a multi-host port, and the other hosts gain network access without
authentication, the ACL policy for the first host can be applied to the other connected hosts by specifying
any in the source address.
Authentication Manager CLI Commands
The authentication-manager interface-configuration commands control all the authentication methods,
such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager
commands determine the priority and order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode,
violation mode, and the authentication timer. Generic authentication commands include the
authentication host-mode, authentication violation, and authentication timer interface
configuration commands.
802.1x-specific commands begin with the dot1x or authentication keyword. For example, the
authentication port-control auto interface configuration command enables authentication on an
interface. However, the dot1x system-auth-control global configuration command only globally
enables or disables 802.1x authentication.
If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,
Note
such as web authentication.
The authentication manager commands provide the same functionality as earlier 802.1x commands.
Table 10-2
Authentication Manager Commands and Earlier 802.1x Commands
The authentication manager
commands in Cisco IOS
Release 12.2(50)SE or later
authentication control-direction
{both | in}
authentication event
OL-26520-01
The equivalent 802.1x commands in
Cisco IOS Release 12.2(46)SE and
earlier
dot1x control-direction {both |
in}
dot1x auth-fail vlan
dot1x critical (interface
configuration)
dot1x guest-vlan6
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Understanding IEEE 802.1x Port-Based Authentication
Description
Enable authentication with the wake-on-LAN
(WoL) feature, and configure the port control as
unidirectional or bidirectional.
Enable the restricted VLAN on a port.
Enable the inaccessible-authentication-bypass
feature.
Specify an active VLAN as an guest VLAN.
10-9