Option for authenticator ports: configure port-security to allow only 802.1X-authenticated devices
If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1X-aware device can be authenticated on the port.
Syntax:
port-security [ethernet] <port-list>
learn-mode port-access
Configures port-security on the specified ports to allow only the first 802.1X-aware device the port detects.
action <none|send-alarm|send-disable>
Configures the port response to intruder detection, and blocks unauthorized traffic).
Port-Security operates with 802.1X authentication only if the selected ports are configured as 802.1X; that is with the
control
mode in the port-access authenticator command set to
auto
. For example, to configure port 5 for 802.1X authenticator operation and display the result:
switch(config)# aaa port-access authenticator 5 control auto
switch(config)# show port-access authenticator 5 config
Note on blocking a non-802.1X device:
If the port 802.1X authenticator
control
mode is configured to
authorized
instead of
auto
, then the first device, whether 802.1X-aware or not, becomes the only authorized device on the port.
aaa port-access authenticator <port-list> control authorized
With 802.1X authentication disabled on a port or set to authorized (Force Authorize), the port may learn a MAC address that you do not want authorized. If this occurs, you can block access by the unauthorized, non-802.1X device by using one of the following options:
- If 802.1X authentication is disabled on the port, use these Command syntaxes to enable it and allow only an 802.1X-aware device:
Enables 802.1X authentication on the port.aaa port-access authenticator <port-list>
Forces the port to accept only a device that supports 802.1X and supplies valid credentials.aaa port-access authenticator e <port-list> control auto
- If 802.1X authentication is enabled on the port, but set to
authorized
(Force Authorized), use this Command syntax to allow only an 802.1X-aware device:
Forces the port to accept only a device that supports 802.1X and supplies valid credentials.aaa port-access authenticator <port-list> control auto