The IEEE 802.1x standard defines a port-based access control and
authentication protocol that restricts unauthorized workstations from
connecting to a LAN through publicly accessible ports. The authentication
server authenticates each workstation connected to a switch port before making
available any services offered by the switch or the LAN.

Until the
workstation is authenticated, 802.1x access control allows only Extensible
Authentication Protocol over LAN (EAPOL) traffic through the port to which the
workstation is connected. After authentication is successful, normal traffic
can pass through the port.
With 802.1x port-based authentication, the
devices in the network have specific roles as follows:
-
Client – The device (workstation) that requests access to the LAN
and switch services and responds to requests from the switch. The workstation
must be running 802.1x-compliant client software such as that offered in the
Microsoft Windows XP operating system. (The port that the client is attached to
is the supplicant [client] in the IEEE 802.1x specification.)
-
Authentication server – Performs the actual authentication of the
client. The authentication server validates the identity of the client and
notifies the switch whether or not the client is authorized to access the LAN
and switch services. Because the switch acts as the proxy, the authentication
service is transparent to the client. The RADIUS security system with
Extensible Authentication Protocol (EAP) extensions is the only supported
authentication server.
-
Switch (also called the authenticator) – Controls the physical
access to the network based on the authentication status of the client. The
switch acts as an intermediary (proxy) between the client (supplicant) and the
authentication server, requesting identity information from the client,
verifying that information with the authentication server, and relaying a
response to the client. The switch uses a RADIUS software agent, which is
responsible for encapsulating and decapsulating the EAP frames and interacting
with the authentication server.
The switch port state determines whether or not the client is granted
access to the network. The port starts in the unauthorized state. While in this
state, the port disallows all ingress and egress traffic except for 802.1x
protocol packets. When a client is successfully authenticated, the port
transitions to the authorized state, allowing all traffic for the client to
flow normally.
If the switch requests the client identity (authenticator
initiation) and the client does not support 802.1x, the port remains in the
unauthorized state and the client is not granted access to the network.
In contrast, when an 802.1x-enabled client connects to a port and the client
initiates the authentication process (supplicant initiation) by sending the
EAPOL-start frame to a switch not running the 802.1x protocol, no response is
received, and the client begins sending frames as if the port is in the
authorized state.
You control the port authorization state by using the
dot1x port-control interface configuration command and
these keywords:
-
force-authorized – Disables 802.1x port-based
authentication and causes the port to transition to the authorized state
without any authentication exchange required. The port transmits and receives
normal traffic without 802.1x-based authentication of the client. This is the
default setting.
-
force-unauthorized – Causes the port to remain in the
unauthorized state, ignoring all attempts by the client to authenticate. The
switch cannot provide authentication services to the client through the
interface.
-
auto – Enables 802.1x port-based authentication and
causes the port to begin in the unauthorized state, allowing only EAPOL frames
to be sent and received through the port. The authentication process begins
when the link state of the port transitions from down to up (authenticator
initiation) or when an EAPOL-start frame is received (supplicant initiation).
The switch requests the identity of the client and begins relaying
authentication messages between the client and the authentication server. The
switch uniquely identifies each client attempting to access the network by
using the client MAC address.
If the client is successfully authenticated (receives an Accept frame
from the authentication server), the port state changes to authorized, and all
frames from the authenticated client are allowed through the port. If the
authentication fails, the port remains in the unauthorized state, but
authentication can be retried. If the authentication server cannot be reached,
the switch can retransmit the request. If no response is received from the
server after the specified number of attempts, authentication fails, and
network access is not granted.
When a client logs off, it sends an
EAPOL-logoff message, causing the switch port to transition to the unauthorized
state.
Configuring 802.1x Port Based Authentication
To implement 802.1x
port authentication follow these steps.

Example
The example shows how to enable AAA and 802.1x on Fast
Ethernet port 5/1:
Switch#configure
terminal
Switch(config)#aaa
new-model
Switch(config)#aaa authentication dot1x
default group radius
Switch(config)#dot1x
system-auth-control
Switch(config)#interface
fastethernet 5/1
Switch(config-if)#dot1x port-control
auto
Switch(config-if)#end