Dot1x port auth
mikearama
Member Posts: 749
in CCNA & CCENT
Consider me confused, techies...
After
Switch(config)#dot1x system-auth-control
to the individual int's...
Switch(config-if)#dot1x port-control ?
auto
force-authorized
force-unauthorized
I can't get a good explanation of the two "force" options. The Bryant BCMSN guide says that "force-authorized forces the port to authorized any host attempting to use the port, but authentication is not required."
Huh?
Meanwhile, "force-unauthorized has the port unable to authorize any client - even clients who could otherwise successfully authenticate."
Well, what's the point in that?
"AUTO" at least makes sense... start unauthorized, and progress through the authentication process until authorized, and start passing data.
Anyone put the first two in perspective for me?
Thanks,
Mike
After
Switch(config)#dot1x system-auth-control
to the individual int's...
Switch(config-if)#dot1x port-control ?
auto
force-authorized
force-unauthorized
I can't get a good explanation of the two "force" options. The Bryant BCMSN guide says that "force-authorized forces the port to authorized any host attempting to use the port, but authentication is not required."
Huh?
Meanwhile, "force-unauthorized has the port unable to authorize any client - even clients who could otherwise successfully authenticate."
Well, what's the point in that?
"AUTO" at least makes sense... start unauthorized, and progress through the authentication process until authorized, and start passing data.
Anyone put the first two in perspective for me?
Thanks,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Force-authorized will place the port in an auuthorized state, always. This effectively disables dot1x on the interface and any host can communicate
Force-unauthorized will place the port in an unauthorized state again disabling dot1x on the port but no host connected to the interface can communicate.
So if you enable dot1x globally and do all the necessary steps to get it to work, but then have some interfaces you don't want to authenticate clients, then use force-authorized
Why would one use force-unauthorized? not sure, it basically like shutting the interface downThe only easy day was yesterday!