Authenticator PAE Status for Interfaces
When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access
entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.
When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the
authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then
reapply it, as needed.
Ports in Authorized and Unauthorized States
The authenticator port state determines if the supplicant is granted access to the network. The port starts in
the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1X protocol
packets. When a supplicant is successfully authenticated, the port transitions to the authorized state, allowing
all traffic for the supplicant to flow normally.
If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the authenticator requests
the client’s identity. In this situation, the client does not respond to the request, the port remains in the
unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the
client initiates the authentication process by sending the EAPOL-start frame. When no response is received,
the client sends the request for a fixed number of times. Because no response is received, the client begins
sending frames as if the port is in the authorized state.
Ports can have the following authorization states:
Force authorized
Disables 802.1X port-based authentication and transitions to the authorized state without requiring any
authentication exchange. The port transmits and receives normal traffic without 802.1X-based
authentication of the client. This authorization state is the default.
Force unauthorized
Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
The authenticator cannot provide authentication services to the client through the interface.
Auto
Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing
only EAPOL frames to be sent and received through the port. The authentication process begins when
the link state of the port transitions from down to up or when an EAPOL-start frame is received from
the supplicant. The authenticator requests the identity of the client and begins relaying authentication
messages between the client and the authentication server. Each supplicant that attempts to access the
network is uniquely identified by the authenticator by using the supplicant’s MAC address.
If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the
port state changes to authorized, and all frames from the authenticated supplicant are allowed through the
port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
If the authentication server cannot be reached, the authenticator can retransmit the request. If no response is
received from the server after the specified number of attempts, authentication fails, and the supplicant is not
granted network access.
When a supplicant logs off, it sends an EAPOL-logoff message, which causes the authenticator port to transition
to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns
to the unauthorized state.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
180
Configuring 802.1X
Authenticator PAE Status for Interfaces