Controlled direction

After you enable web-based-based authentication on specified ports, you can use the aaa port-access controlled-direction command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

Syntax

aaa port-access <port-list> controlled-direction {both | in}
      
<port-list>

Specifies the list of ports on which this command will be applied.

both

(default): Specifies that incoming and outgoing traffic is to be blocked on a port configured for web-based authentication before authentication occurs.

in

Specifies that incoming traffic is to be blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.

Usage

  • To display the currently configured controlled direction value for web-based authenticated ports, enter the show port-access web-based config command.

  • The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs. The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates.)

  • Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:
    • 802.1X authentication

    • MAC authentication

    • Web-based authentication

    Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-direction command is applied to all authentication methods configured on the switch.
  • When a web-based authenticated port is configured with the controlled-direction in setting, eavesdrop prevention is not supported on the port.