Ports In Authorized And Unauthorized States - Cisco Catalyst 2960 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
Table 10-2
Authentication Manager Commands and Earlier 802.1x Commands (continued)
The authentication manager
commands in Cisco IOS
Release 12.2(50)SE or later
authentication fallback
fallback-profile
authentication host-mode
[multi-auth | multi-domain |
multi-host | single-host]
authentication order
authentication periodic
authentication port-control {auto
| force-authorized | force-un
authorized}
authentication timer
authentication violation {protect |
restrict | shutdown}
Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated
by the authentication manager. The filtered content typically relates to authentication success. You can
also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate
command for each authentication method:
•
•
•
For more information, see the command reference for this release.
Ports in Authorized and Unauthorized States
During 802.1x authentication, depending on the switch port state, the switch can grant a client access to
the network. The port starts in the unauthorized state. While in this state, the port that is not configured
as a voice VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and
STP packets. When a client is successfully authenticated, the port changes to the authorized state,
allowing all traffic for the client to flow normally. If the port is configured as a voice VLAN port, the
port allows VoIP traffic and 802.1x protocol packets before the client is successfully authenticated.
If a client that does not support 802.1x authentication connects to an unauthorized 802.1x port, the
switch requests the client's identity. In this situation, the client does not respond to the request, the port
remains in the unauthorized state, and the client is not granted access to the network.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-10
The equivalent 802.1x commands in
Cisco IOS Release 12.2(46)SE and
earlier
dot1x fallback fallback-profile
dot1x host-mode {single-host |
multi-host | multi-domain}
dot1x mac-auth-bypass
dot1x reauthentication
dot1x port-control {auto |
force-authorized |
force-unauthorized}
dot1x timeout
dot1x violation-mode {shutdown
| restrict | protect}
The no authentication logging verbose global configuration command filters verbose messages
from the authentication manager.
The no dot1x logging verbose global configuration command filters 802.1x authentication verbose
messages.
The no mab logging verbose global configuration command filters MAC authentication bypass
(MAB) verbose messages
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
Description
Configure a port to use web authentication as a
fallback method for clients that do not support
authentication.
Allow a single host (client) or multiple hosts on an
authorized port.
Provides the flexibility to define the order of
authentication methods to be used.
Enable periodic re-authentication of the client.
Enable manual control of the authorization state of
the port.
Set the timers.
Configure the violation modes that occur when a
new device connects to a port or when a new
device connects to a port after the maximum
number of devices are connected to that port.
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
