CANOGA PERKINS CanogaOS Configuration Guide User Manual

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 313 of 350

frame. When no response is received, the client sends the request for a fixed number of times.
Because no response is received, the client begins sending frames as if the port is in the
authorized state.

You control the port authorization state by using the dot1x port-control interface configuration
command and these keywords:
z

force-authorized—disables IEEE 802.1x authentication and causes the port to transition to

the authorized state without any authentication exchange required. The port sends and
receives normal traffic without IEEE 802.1x-based authentication of the client. This is the
default setting.

z

force-unauthorized—causes the port to remain in the unauthorized state, ignoring all

attempts by the client to authenticate. The switch cannot provide authentication services to
the client through the interface.

z

auto—enables IEEE 802.1x authentication and causes the port to begin in the unauthorized

state, allowing only EAPOL frames to be sent and received through the port. The
authentication process begins when the link state of the port transitions from down to up or
when an EAPOL-start frame is received. The switch requests the identity of the client and
begins relaying authentication messages between the client and the authentication server.

If the client is successfully authenticated (receives an Accept frame from the authentication
server), the port state changes to authorized, and all frames from the authenticated client are
allowed through the port. If the authentication fails, the port remains in the unauthorized state,
but authentication can be retried. If the authentication server cannot be reached, the switch can
resend the request. If no response is received from the server after the specified number of
attempts, authentication fails, and network access is not granted.

When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition
to the unauthorized state.

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received,
the port returns to the unauthorized state.

38.1.5 802.1x Configuration
These are the IEEE 802.1x authentication configuration guidelines:
z

When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 or Layer 3

features are enabled.

z

The IEEE 802.1x protocol is supported on Layer 2 access ports, and Layer 3 routed ports,

but it is not supported on these port types:

– Trunk port—If you try to enable IEEE 802.1x on a trunk port, an error message appears,

and

IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port
to trunk, the port mode is not changed.