Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices

If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1X-aware device can be authenticated on the port.

Syntax:


port-security [ethernet] <port-list>
learn-mode port-access

Configures port-security on the specified ports to allow only the first 802.1X-aware device the port detects.


action <none|send-alarm|send-disable>

Configures the port response to intruder detection, and blocks unauthorized traffic).

NOTE:

Port-Security operates with 802.1X authentication only if the selected ports are configured as 802.1X; that is with the control mode in the port-access authenticator command set to auto. For example, to configure port 5 for 802.1X authenticator operation and display the result:

switch(config)# aaa port-access authenticator 5 control auto
switch(config)# show port-access authenticator 5 config

Note on blocking a non-802.1X device:

If the port 802.1X authenticator control mode is configured to authorized instead of auto, then the first device, whether 802.1X-aware or not, becomes the only authorized device on the port.

aaa port-access authenticator <port-list> control authorized
      
With 802.1X authentication disabled on a port or set to authorized (Force Authorize), the port may learn a MAC address that you do not want authorized. If this occurs, you can block access by the unauthorized, non-802.1X device by using one of the following options:
  • If 802.1X authentication is disabled on the port, use these Command syntaxes to enable it and allow only an 802.1X-aware device:
    aaa port-access authenticator <port-list>
                
    Enables 802.1X authentication on the port.
    aaa port-access authenticator e <port-list> control auto
                
    Forces the port to accept only a device that supports 802.1X and supplies valid credentials.
  • If 802.1X authentication is enabled on the port, but set to authorized (Force Authorized), use this Command syntax to allow only an 802.1X-aware device:
    aaa port-access authenticator <port-list> control auto
                
    Forces the port to accept only a device that supports 802.1X and supplies valid credentials.