 Note |
Effective with Cisco IOS Release 12.2(33)SXI, the dot1x control-direction command is replaced by the authentication control-direction command. See the authentication control-direction command for more information.
|
To change an IEEE 802.1X controlled port to unidirectional or bidirectional, use the dot1x control-direction command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x control-direction {both | in}
no dot1x control-direction
Syntax Description
both
|
Enables bidirectional control on the port.
|
in
|
Enables unidirectional control on the port.
|
Command Default
The port is set to bidirectional mode.
Command Modes
Interface configuration (config-if)
Command History
Release
|
Modification
|
12.2(25)SEC
|
This command was introduced.
|
12.4(6)T
|
This command was integrated into Cisco IOS Release 12.4(6)T.
|
12.4(4)XC
|
This command was integrated into Cisco IOS Release 12.4(4)XC for
Cisco 870 Integrated Services Switchs (ISRs) only.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
12.2(33)SXI
|
This command was replaced by the authentication control-direction command.
|
Usage Guidelines
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized
devices from connecting to a LAN through publicly accessible ports. 802.1x controls network access by creating two distinct
virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic
through the single port is available to both access points. 802.1x authenticates each user device that is connected to a switch
port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until
the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic
through the port to which the device is connected. After authentication is successful, normal traffic can pass through the
port.
Unidirectional State
When you configure a port as unidirectional with the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state.
When Unidirectional Controlled Port is enabled, the connected host is in the sleeping mode or power-down state. The host does
not exchange traffic with other devices in the network. The host connected to the unidirectional port cannot send traffic
to the network, the host can only receive traffic from other devices in the network.
Bidirectional State
When you configure a port as bidirectional with the dot1x control-direction both interface configuration command, the port is access-controlled in both directions. In this state, the switch port receives
or sends only EAPOL packets; all other packets are dropped.
Using the both keyword or using the no form of this command changes the port to its bidirectional default setting.
Catalyst 6500 Series Switch
Setting the port as bidirectional enables 802.1X authentication with wake-on-LAN (WoL).
Cisco IOS Release 12.4(4)XC
For Cisco IOS Release 12.4(4)XC, on Cisco 870 ISRs only, this command can be configured on
Layer 2 (for switch ports) and Layer 3 (for switched virtual interfaces). However, the command can function at only one layer
at a time; that is, if it is configured on Layer 2, it cannot also be configured on Layer 3 and vice versa.
Examples
The following example shows how to enable unidirectional control:
Switch(config-if)# dot1x control-direction in
The following examples show how to enable bidirectional control:
Switch(config-if)# dot1x control-direction both
or
Switch(config-if)# no dot1x control-direction
You can verify your settings by entering the show dot1x all privileged EXEC command. The show dot1x all command output is
the same for all devices except for the port names and the state of the port. If a host is attached to the port but is not
yet authenticated, a display similar to the following appears:
Supplicant MAC 0002.b39a.9275
AuthSM State = CONNECTING
BendSM State = IDLE
PortStatus = UNAUTHORIZED
If you enter the dot1x control-direction in command to enable unidirectional control, the following appears in the show dot1x
all command output:
ControlDirection = In
If you enter the dot1x control-direction in command and the port cannot support this mode because of a configuration conflict,
the following appears in the show dot1x all command output:
ControlDirection = In (Disabled due to port settings):
The following example shows how to reset the global 802.1X parameters:
Switch(config)# dot1x default
Examples
The following example shows how to enable 802.1X authentication with WoL and set the port as bidirectional:
Switch(config)# interface gigabitethernet 5/1
Switch(config-if)# dot1x control-direction both
Examples
The following example shows Layer 3 802.1X support on a switched virtual interface (using a Cisco 870 ISR):
interface FastEthernet0
description switchport connect to a client
!
interface FastEthernet1
description switchport connect to a client
!
interface FastEthernet2
description switchport connect to a client
!
interface FastEthernet3
description switchport connect to a client
!
interface FastEthernet4
description Connect to the public network
!
interface Vlan1
description Apply 802.1x functionality on SVI
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x control-direction in