Controlled directions

Syntax


aaa port-access <port-list> [controlled-directions <both|in> mixed-mode|port-speed-vsa|mbv <enable|disable>]

After you enable web-based-based authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

both: (Default) Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs.

in: Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.

mixed-mode: Set if unauthenticated and authenticated users are allowed on the same port.

port-speed-vsa: Determines if the port speed VSA is allowed and used on a port.

mbv <enable|disable>: Allows configuration of MBV (MAC-based VLANs) on a port. MBV allows multiple clients on different untagged VLANs to authenticate on the same port.

Requirements

As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa port-access controlled-direction in command) is supported only if the 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

The port is configured as an edge port in the network using the spanning-tree edge-port command.

Notes

  • For information on how to configure the prerequisites for using the aaa port-access controlled-direction in command, see “Multiple instance spanning-tree operations” in the advanced traffic management guide for your switch.

  • To display the currently configured controlled direction value for web-based authenticated ports, enter the show port-access web-based config command.

  • The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs.

    The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates).

  • Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:

    • 802.1X authentication

    • MAC authentication

    • Web-based authentication

    Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch.

    For information about how to configure and use 802.1X authentication, see Configuring Port and User-Based Access Control (802.1X).

  • When a web-based authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.