CANOGA PERKINS 9175 Configuration Guide User Manual

CanogaOS Configuration Guide

39-4

• force-authorized: disables IEEE 802.1x authentication and causes the port to

transition to the authorized state without any authentication exchange required.
The port sends and receives normal traffic without IEEE 802.1x-based
authentication of the client. This is the default setting.

• force-unauthorized: causes the port to remain in the unauthorized state, ignoring

all attempts by the client to authenticate. The switch cannot provide authentication
services to the client through the interface.

• auto: enables IEEE 802.1x authentication and causes the port to begin in the

unauthorized state, allowing only EAPOL frames to be sent and received through
the port. The authentication process begins when the link state of the port
transitions from down to up or when an EAPOL-start frame is received. The switch
requests the identity of the client and begins relaying authentication messages
between the client and the authentication server.

If the client is successfully authenticated (receives an Accept frame from the
authentication server), the port state changes to authorized, and all frames from the
authenticated client are allowed through the port. If the authentication fails, the port
remains in the unauthorized state, but authentication can be retried. If the authentication
server cannot be reached, the switch can resend the request. If no response is received
from the server after the specified number of attempts, authentication fails, and network
access is not granted.

When a client logs off, it sends an EAPOL-logoff message, causing the switch port to
transition to the unauthorized state.

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is
received, the port returns to the unauthorized state.

39.6 802.1x Configuration

These are the IEEE 802.1x authentication configuration guidelines:

• When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2

or Layer 3 features are enabled.

• The IEEE 802.1x protocol is supported on Layer 2 access ports, and Layer 3

routed ports, but it is not supported on these port types:

o

Trunk port: If you try to enable IEEE 802.1x on a trunk port, an error

message appears, and IEEE 802.1x is not enabled. If you try to change the
mode of an IEEE 802.1x-enabled port to trunk, the port mode is not
changed.

o

EtherChannel ports: Do not configure a port that is an active or a

not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you
try to enable IEEE 802.1x on an EtherChannel port, an error message
appears, and IEEE 802.1x is not enabled.

• IEEE 802.1x feature are cleared when changing port status from routed port to

access port, vice versa.

• When port is in the unauthorized state and the control direction is both, all the

dynamic FDB learned on this port will be cleared; and all the static FDB
configured on this port will be cleared but will be restored when port transitions to