Configure 802.1X controlled direction (optional)

After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlled-direction command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:

  • In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames

  • Only in the ingress direction by disabling only the reception of incoming frames.

Prerequisite:

As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled-direction in command) is supported only if:

  • The port is configured as an edge port in the network using the spanning-tree edge-port command.

  • The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

For information on how to configure the prerequisites for using the aaa port-access controlled-direction in command, see “Multiple Instance Spanning-Tree Operation” in the advanced traffic management guide.

Syntax:


aaa port-access <port-list> controlled-direction <both|in>

both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs.

in: Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.