Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Dot1x not working in conjunction with PortSecurity on Cisco 4500

It’s observed that – Phones are not coming up on network when 802.1x is enabled on port. After troubleshooting it’s noted that Port-Security restricts phones not to operate either in Data or Voice Vlans. Problem gets resolved by disabling port-security on port. Please confirm if it is the known limitation.

Here is the details about device Model & IOS version of switch.

Model: Cisco 4506-E (Sup 6-E 10GE (X2), 1000BaseX (SFP) )

Line Card:  WS-X4648-RJ45V-E

IOS: cat4500e-entservicesk9-mz.122-54.SG1

1 ACCEPTED SOLUTION

Accepted Solutions

Using 802.1X with Port

Using 802.1X with Port Security

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

For information on selecting multi-host mode, see the "Resetting the 802.1X Configuration to the Default Values" section.

These examples describe the interaction between 802.1X and port security on a switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

If 802.1X detects the violation, the action is to err-disable the port.

If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

The following describes when port security and 802.1X security violations occur:

In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.

In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MAC addresses), a port security violation is triggered.

In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a port security violation.

When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then ensues.

If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.

Only 802.1X can remove the client's MAC address from the port security table. Note that in multi host mode, with the exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port security CLIs.

Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port security table.

All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.

 

 

Refer::

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1151392

1 REPLY

Using 802.1X with Port

Using 802.1X with Port Security

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

For information on selecting multi-host mode, see the "Resetting the 802.1X Configuration to the Default Values" section.

These examples describe the interaction between 802.1X and port security on a switch:

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).

A security violation occurs if an additional host is learned on the port. The action taken depends on which feature (802.1X or port security) detects the security violation:

If 802.1X detects the violation, the action is to err-disable the port.

If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

The following describes when port security and 802.1X security violations occur:

In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.

In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MAC addresses), a port security violation is triggered.

In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a port security violation.

When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then ensues.

If you administratively shut down the port, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.

Only 802.1X can remove the client's MAC address from the port security table. Note that in multi host mode, with the exception of the client's MAC address, all MAC addresses that are learned by port security can be deleted using port security CLIs.

Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port security table.

All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.

 

 

Refer::

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1151392

58
Views
0
Helpful
1
Replies
CreatePlease to create content