Dot1x port auth

mikearamamikearama Member Posts: 749
Consider me confused, techies...

After
Switch(config)#dot1x system-auth-control

to the individual int's...
Switch(config-if)#dot1x port-control ?
auto
force-authorized
force-unauthorized

I can't get a good explanation of the two "force" options. The Bryant BCMSN guide says that "force-authorized forces the port to authorized any host attempting to use the port, but authentication is not required."

Huh?

Meanwhile, "force-unauthorized has the port unable to authorize any client - even clients who could otherwise successfully authenticate."

Well, what's the point in that?

"AUTO" at least makes sense... start unauthorized, and progress through the authentication process until authorized, and start passing data.

Anyone put the first two in perspective for me?
Thanks,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Force-authorized will place the port in an auuthorized state, always. This effectively disables dot1x on the interface and any host can communicate

    Force-unauthorized will place the port in an unauthorized state again disabling dot1x on the port but no host connected to the interface can communicate.

    So if you enable dot1x globally and do all the necessary steps to get it to work, but then have some interfaces you don't want to authenticate clients, then use force-authorized

    Why would one use force-unauthorized? not sure, it basically like shutting the interface down
    The only easy day was yesterday!
Sign In or Register to comment.