Table of Contents
Understanding IEEE 802.1x Port-Based Authentication
For more information about critical authentication mode and the critical VLAN, see the
Authentication with Inaccessible Authentication Bypass" section on page
For more information see the
MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another
authentication manager-enabled port of the switch. If the switch detects that same MAC address on
another authentication manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same
switch. For example, when there is another device (for example a hub or an IP phone) between an
authenticated host and a switch port, you might want to disconnect the host from the device and connect
it directly to another port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves
to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch,
no matter which host mode is enabled on the that port.)
When a MAC address moves from one port to another, the switch terminates the authenticated session
on the original port and initiates a new authentication sequence on the new port.
The MAC move feature applies to both voice and data hosts.
In open authentication mode, a MAC address is immediately moved from the original port to the new
Note
port, with no requirement for authorization on the new port.
For more information see the
MAC Replace
Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address
the violation that occurs when a host attempts to connect to a port where another host was previously
authenticated.
This feature does not apply to ports in multi-auth mode, because violations are not triggered in that
Note
mode. It does not apply to ports in multiple host mode, because in that mode, only the first host requires
authentication.
If you configure the authentication violation interface configuration command with the replace
keyword, the authentication process on a port in multi-domain mode is:
•
•
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
9-14
"Configuring the Host Mode" section on page 9-44.
"Enabling MAC Move" section on page 9-48.
A new MAC address is received on a port with an existing authenticated MAC address.
The authentication manager replaces the MAC address of the current data host on the port with the
new MAC address.
Chapter 9
Configuring IEEE 802.1x Port-Based Authentication
9-23.
"802.1x
OL-13270-06
Hide quick links:
Chapters
Table of Contents
Troubleshooting
