Users Guide
336 Authentication, Authorization, and Accounting
are attached to a port configured in auto mode, they will all be allowed access
to network resources as soon as any 802.1X-aware device on the port
authenticates.
The port security feature can be utilized if it is desired to limit access on auto
mode configured ports. To limit access to a phone and laptop configuration
using Voice VLAN, the port security limit should be set to 3 as many IP
phones also utilize the data VLAN during power up. For more information
on port security, see "Port and System Security" on page 681.
In addition to force-authorized, force-unauthorized, and auto modes, the
802.1X mode of a port can be MAC based, as the following section describes.
What is MAC-Based 802.1X Authentication?
MAC-based authentication allows multiple supplicants connected to the
same port to authenticate individually. For example, a 5-port hub might be
connected to a single port on the switch. Each host connected to the hub
must authenticate separately in order to gain access to the network. Hosts
that do not authenticate (or are not configured with MAB or a guest or
unauthenticated VLAN) are denied access to the network, or are placed into a
restricted VLAN such as the guest or unauthenticated VLAN, if configured.
MAC-based authentication is only supported for ports configured in general
mode.
The hosts are distinguished by their MAC addresses. Internally, the switch
adds an ACL to the port to allow packets from the host MAC address to pass
into the switch. For this reason, enabling port security on an interface
configured for MAC-based authentication is neither necessary nor desirable.
When multiple hosts (for example, a PC, a printer, and a phone in the same
office) are connected to the switch on the same port, each of the connected
hosts authenticates separately with the RADIUS server.
NOTE: Only MAC-Based and Auto modes use 802.1X and RADIUS to
authenticate. Force-authorized and Force-unauthorized modes are manual
overrides.