Filter
Top Products
Chapter 60: 802.1x Port-based Network Access Control
868
Operational Settings for Authenticator Ports
An authenticator port can have one of three possible operational settings:
Auto - Activates port-based authentication. The port begins in the
unauthorized state, forwarding only EAPOL frames and discarding
all other traffic. The authentication process begins when the link
state of the port changes or the port receives an EAPOL-Start
packet from a supplicant. The switch requests the identity of the
client and begins relaying authentication messages between the
client and the RADIUS authentication server. After the supplicant
is validated by the RADIUS server, the port begins forwarding all
traffic to and from the supplicant. This is the default setting for an
authenticator port.
Force-authorized - Disables IEEE 802.1x port-based
authentication and automatically places the port in the authorized
state without any authentication exchange required. The port
transmits and receives normal traffic without authenticating the
client.
Note
A supplicant connected to an authenticator port set to force-
authorized must have 802.1x client software if the port’s
authenticator mode is 802.1x. Though the force-authorized setting
prevents an authentication exchange, the supplicant must still have
the client software to forward traffic through the port.
Force-unauthorized - Causes the port to remain in the
unauthorized state, ignoring all attempts by the supplicant to
authenticate. The port forwards EAPOL frames, but discards all
other traffic. This setting is analogous to disabling a port.
As mentioned earlier, the switch itself does not authenticate the user
names and passwords from the clients. That function is performed by the
authentication server and the RADIUS server software. The switch acts as
an intermediary for the authentication server by denying access to the
network by the client until the client has been validated by the
authentication server.