3Com WX2200 3CRWX220095A Switch User Manual

This command configures port 7 as a wired authentication port
supporting one interface and one simultaneous user session.
For 802.1X clients, wired authentication works only if the clients are
directly attached to the wired authentication port, or are attached
through a hub that does not block forwarding of packets from the client
to the PAE group address (01:80:c2:00:00:03). Wired authentication
works in accordance with the 802.1X specification, which prohibits a
client from sending traffic directly to an authenticator’s MAC address
until the client is authenticated. Instead of sending traffic to the
authenticator’s MAC address, the client sends packets to the PAE group
address. The 802.1X specification prohibits networking devices from
forwarding PAE group address packets, because this would make it
possible for multiple authenticators to acquire the same client.
For non-802.1X clients, who use MAC authentication, WebAAA, or
last-resort authentication, wired authentication works if the clients are
directly attached or indirectly attached.
If clients are connected to a wired authentication port through a
downstream third-party switch, the WX switch attempts to authenticate
based on any traffic coming from the switch, such as Spanning Tree
Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such
as STP BPDUs from downstream switches. If you want to provide a
management path to a downstream switch, use MAC authentication.
Clearing a Port
To change a port’s type from MAP access port or wired authentication
port, you must first clear the port, then set the port type.
CAUTION: When you clear a port, MSS ends user sessions on the port.
Clearing a port removes all the port’s configuration settings and resets
the port as a network port.
If the port is a MAP access port, clearing the port disables PoE and
802.1X authentication.
If the port is a wired authenticated port, clearing the port disables
802.1X authentication.
If the port is a network port, the port must first be removed from all
VLANs, which removes the port from all spanning trees, load-sharing
port groups, and so on.