Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dot.1x Authorization Port

I am configuring all switches port dot1.x ports but i am using IAS server as AAA server and the authentication method machine certficate .

The problem is when one of Joined machine connected to switch port and after authorization if i unplug the network cable the port still authorized !! i mean if i put pc not join its connected .

below the interface config :

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

dot1x timeout quiet-period 30

dot1x timeout tx-period 10

dot1x timeout supp-timeout 60

dot1x max-req 5

dot1x reauthentication

dot1x guest-vlan 30


Re: Dot.1x Authorization Port

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.

New Member

Re: Dot.1x Authorization Port

Exactly what kind of security restriction are you trying to accomplish? I'm not sure what version of IOS you are using, but there are better options with later version. such as "multi-auth", which requires every PC that connects to that port to authenticate.

Using "multi-host" mode for dot1x authentication on all ports puts a big hole in any security you try to enforce.

New Member

Re: Dot.1x Authorization Port

I'm testing the Dot1x multi-auth feature of the lastest IOS for the 3750. It works perfectly for two machines that are authorized. Is it possible for the switch allow traffic from an authorized host and deny traffic from a machine that does pass authentication? So far it seems to drop all traffic on the port, as soon as the unathorized machine is connected.

New Member

Re: Dot.1x Authorization Port

If you are using the latests code (12.2.50) using the "authentication host-mode multi-auth" and the "authentication violation protect" commands should do the trick according to Cisco's 3750 documentation. Which also states a limit of 8 (authenticated) hosts.

Hope this helps.