Optional: Configure 802.1X Controlled Direction

After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlled-direction command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:

• In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames

• Only in the ingress direction by disabling only the reception of incoming frames.

Prerequisite

As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled direction in command) is supported only if:

• The port is configured as an edge port in the network using the spanningtree edge-port command.

• The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

For information on how to configure the prerequisites for using the aaa portaccess controlled-direction in command, see “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.

aaa port-access <port-list>controlled-direction <both | in>

• both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs. in:

• Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.