IBM 12.1(22)EA6 Switch User Manual


 
6-10
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Note If an EAPOL packet is detected on the wire after the interface has transitioned to the guest VLAN, the
interface reverts to an unauthorized state, and 802.1x authentication restarts.
Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the
guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access
ports.
For configuration steps, see the “Configuring a Guest VLAN” section on page 6-20.
Using IEEE 802.1x with Wake-on-LAN
The IEEE 802.1x wake-on-LAN (WoL) feature allows dormant PCs to be powered when the switch
receives a specific Ethernet frame, known as the magic packet. You can use this feature in environments
where administrators need to connect to systems that have been powered down.
When hosts that use WoL are attached through IEEE 802.1x ports and the host powers down, the IEEE
802.1x port becomes unauthorized. In this state, the port can only receive and send EAPOL packets, and
WoL magic packets cannot reach the host. When the PC is powered down, it is not authenticated, and
the switch port is not opened.
When the switch uses IEEE 802.1x with WoL, the switch sends packets to unauthorized IEEE 802.1x
ports. This feature is also known as the Unidirectional Controlled Port in the IEEE 802.1x specification.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
Unidirectional State
When you configure a port as unidirectional by using the dot1x control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state.
When WoL is enabled, the connected host is in the sleeping mode or power-down state. The host does
not exchange traffic with other devices in the network. If the host connected to the unidirectional port
that cannot send traffic to the network, the host can only receive traffic from other devices in the
network. If the unidirectional port receives incoming traffic, the port returns to the default bidirectional
state, and the port changes to the spanning-tree blocking state. When the port changes to the initialize
state, no traffic other than EAPOL packet is allowed. When the port returns to the bidirectional state, the
switch starts a 5-minute timer. If the port is not authenticated before the timer expires, the port becomes
a unidirectional port.
Bidirectional State
When you configure a port as bidirectional by using the dot1x control-direction both interface config-
uration command, the port is access-controlled in both directions. In this state, the switch port does not
receive or send packets.