802.1x Configuration

Similar Messages

• Cisco IP 7841 802.1x Configuration

  Hello Team,
  I am working with a customer that requires 802.1x configured on their environment. Based on my research so far, I believe this is only way to make this work. Have any of you done this differently? Any feedback is greatly appreciated.
  CUCM
  Run the CTL Client to install the e-token so the CUCM Publisher can run the CAPF service
  Export the Cisco_Root_CA cert and upload it to a Radius server (preferably Cisco ACS if possible) so the phones can authenticate with
  Assign the cert to each phone that requires 802.1x authentication
  LAN Switches
  Stage the LAN switches without 802.1x so phones can retrieve the cert and complete the authentication before turning on 802.1x
  Questions
  Can phones be authenticated with its own MIC and the PCs with their own? Do phones and PCs have to run the same cert?
  Is the MAB the only method to bypass the 802.1x phone authentication so only the PC can be authenticate via 802.1x without requiring the phone to do the 802.1x authentication?
  Thanks in advance for your feedback,
  Gerson

  Jaime,
  Thanks for pointing me to the correct area. By the way, do you have experience enabling 802.1x in CUCM? If so, do you think I am going in the right direction? Could you also provide some feedback on my questions?
  Thanks,
  Gerson

• 802.1x configuration for 3500 switch and 2800 switc

  Can anyone point me to a document on how to do a 3500 switch 802.1x configuration as well as a 2800 switch? How do you define the server auth-port? Thanks

  Even tough this link is for CAT6k, it has some very useful screen-shots that will help you to successfully implement dot1x:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml
  Regards
  Farrukh

• Create New 802.1x Configuration?

  Hi all,
  Is there a command in the terminal to create a New 802.1x Configuration? I want to bypass the Internet Connect app so that I can automate this.
  Thanks,
  Matt

  Hello Sergio,
  You can read this document:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
  This works im my case except VLAN assignment. :(
  But I'm occupied with this only for one day, so if I will success in VLAN assigment I will inform you.
  Mladen

• HP Deskjet 3050A J611 series wireless WPA 802.1x configuring steps

  I am having HP Deskjet 3050A J611 series printer and in my office we are having wireless network and i want make this printer as a wireless but we are having WPA enterprise 802.1x wireless settings in our office.
  So i need the configuring steps how to configure WPA enterprise 802.1x wireless settings.
  Your Quick response is highly appreciated.
  Thanks & Regards..
  Ahmed Abdul Ali 

  Hope you a having a great day,
  I am reaching out to probe if you still experience this issue. If you are, Click Here  This are basic steps perhaps you can find answer to your question here, If this does not help Update your post, I will do we best to find answer for you in the other hand if  you are not experiencing this issue any longer you may disregard this post, although I will appreciate if you can take I little bit of your time and let me know.
  Thanks
  RobertoR
  You can say THANKS by clicking the KUDOS STAR. If my suggestion resolves your issue Mark as a "SOLUTION" this way others can benefit Thanks in Advance!

• 802.11 configuration on Powerbook

  Admittedly, I'm a novice user of Mac OS X.
  I am configuring a Mac OS X laptop to connect wirelessly (802.11) to a Linksys access point. The wireless network has 128-bit WEP encryption enabled and the broadcast of the network is OFF.
  If I go and configure the wireless network on the laptop, SSID and WEP key, it works. I can print to local network printers and I can get to the Internet. However, if I reboot, I need to go back in and reconfigure the network every time, including the WEP key which can be quite tedious.
  Why are the settings I set not saved? How can I make sure when I reboot I don't have to go back and reconfigure my wireless network settings?
  Thanks ahead of time for your assistance.

  Hi Kleintech, Welcome to the New Apple Discussions
  I am new to this airport stuff also so I can't tell you how to save your configuration, but here is a link from the User tip Library.
  There is a whole lot there about it, just look for Airport section.
  http://discussions.apple.com/thread.jspa?threadID=296514&tstart=0
  Good luck, let us know how it goes for you.
  Enjoy.
  regards, Eme

• Airport Extreme 802.11ac configuration issue

  Hello all,
  I'm hoping someone can help me configure my new Airport Extreme. I have a new Haswell Macbook Air and I thought they would just use 802.11ac automatically. My problem is the Macbook Air is showing as connected with 802.11n, so I can't benefit from faster TM backups for example.
  I've updated the router and the computer to the latest firmware/software versions.
  Any tips would be much appriciated!

  The MCS Index value is telling me that the connection between the MBA & the Extreme is only using two spatial streams. I would expect that the MBA can support three or even four streams connections with the new 802.11ac Extreme. Not sure why yours is not. At this point it is hard to tell if the issue is with the MBA or the Extreme ... or both.
  For example, my 2012 MacBook Pro is currently connected to my 4th generation 802.11n AirPort Extreme with MCS value of 23. That would be a three stream connection and I am currently getting 450 Mbps for the Transmit Rate.
  I would suggest, if possible, taking both to your local Apple Store to have them checked out.

• IOS 15.0.(1)SE2 802.1X configuration ignores VSA ?

  Hi all,
  i configured dot1x on a 3750X with version 15.0.(1)SE2 but have a problem with MDA:
  My phone is authenticating successfully but is placed in the DATA domain instead of voice:
  show authentication interface gi3/0/9
  Client list:
  Interface  MAC Address     Method   Domain   Status         Session ID
    Gi3/0/9    0080.9fab.d2f2  dot1x    DATA     Authz Success  000000000000361C1BA5BAF5
  though the switch receives an VSA from the radius server (output from debug radius authentication):
  Mar  9 18:10:28.976: RADIUS: Received from id 1645/106 10.0.0.4:1645, Access-Accept, len 240
  Mar  9 18:10:28.976: RADIUS:  authenticator 6B 87 86 16 99 E7 A3 06 - 6B 98 63 12 16 C8 9C 48
  Mar  9 18:10:28.985: RADIUS:  EAP-Message         [79]  6  
  Mar  9 18:10:28.985: RADIUS:   03 07 00 04
  Mar  9 18:10:28.985: RADIUS:  Class               [25]  46 
  Mar  9 18:10:28.985: RADIUS:   47 1B 05 65 00 00 01 37 00 01 02 00 0A 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 01 CC F8 92 38 D7 D3 4D 00 00 00 00 00 02 68 07           [ Ge7(8Mh]
  Mar  9 18:10:28.985: RADIUS:  Vendor, Cisco       [26]  34 
  Mar  9 18:10:28.985: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
  Mar  9 18:10:28.985: RADIUS:  Vendor, Microsoft   [26]  58 
  Mar  9 18:10:28.985: RADIUS:   MS-MPPE-Send-Key   [16]  52  *
  Mar  9 18:10:28.985: RADIUS:  Vendor, Microsoft   [26]  58 
  Mar  9 18:10:28.985: RADIUS:   MS-MPPE-Recv-Key   [17]  52  *
  Mar  9 18:10:28.985: RADIUS:  Message-Authenticato[80]  18 
  Mar  9 18:10:28.985: RADIUS:   82 9D F1 DB 64 0D 65 85 D2 C8 09 C7 10 9B C3 84                [ de]
  Mar  9 18:10:29.001: RADIUS(00003686): Received from id 1645/106
  Mar  9 18:10:29.001: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  Mar  9 18:10:29.010: %DOT1X-5-SUCCESS: Authentication successful for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.010: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.446: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.9fab.d2f2) on Interface Gi3/0/9 AuditSessionID 00000000000036091B977720
  Mar  9 18:10:29.454: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/9, changed state to up
  and "radius-server vsa send authentication" is set
  The switchport is configured in the following way:
  interface GigabitEthernet3/0/9
  switchport access vlan 115
  switchport mode access
  switchport nonegotiate
  switchport voice vlan 113
  authentication control-direction in
  authentication event fail action authorize vlan 101
  authentication event server dead action authorize vlan 100
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation replace
  mls qos trust dscp
  dot1x pae authenticator
  storm-control broadcast level 10.00
  storm-control action shutdown
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip dhcp snooping limit rate 20
  Radius Server is MS W2K8 NPS.
  Am i missing something or is it a bug in 15.0? I remeber it worked on 12.5something
  Many thanks in advance for any hints!

  Hi,
  i am authenticating with dot1x, mab might be used some day for devices not supporting 802.1X.
  Authentication works fine, i just wonder why the phone is placed into the DATA domain though the Radius Server returns a VSA "device-traffic-class=voice".
  SWITCH#show authentication sessions interface gi3/0/9
              Interface:  GigabitEthernet3/0/9
            MAC Address:  0080.9fab.d2f2
             IP Address:  Unknown
              User-Name:  ipphone
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  in
          Authorized By:  Authentication Server
             Vlan Group:  N/A
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0000000000003AC232ED1550
        Acct Session ID:  0x00003B3D
                 Handle:  0xB0000BD7
  Runnable methods list:
         Method   State
         dot1x    Authc Success
  SWITCH#show dot1x all details
  Sysauthcontrol              Enabled
  Dot1x Protocol Version            3
  Dot1x Info for GigabitEthernet3/0/9
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = In
  HostMode                  = MULTI_DOMAIN
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  Dot1x Authenticator Client List
  EAP Method                = (13)
  Supplicant                = 0080.9fab.d2f2
  Session ID                = 0000000000003AC232ED1550
      Auth SM State         = AUTHENTICATED
      Auth BEND SM State    = IDLE

• 802.1x configuration for switch Ports

  hi All,
  I am looking for help on a specific trouble with a custome implementation on 802.1x.
  Currently its set as below;
   authentication control-direction both
   authentication host-mode single-host
   no authentication open
   authentication priority dot1x mab
   authentication port-control auto
   no authentication periodic
   authentication timer restart 0
   authentication timer reauthenticate 3600
   authentication timer inactivity 0
   authentication violation shutdown
   no authentication fallback
   mab radius
   dot1x pae authenticator
   dot1x timeout quiet-period 60
   dot1x timeout server-timeout 0
   dot1x timeout tx-period 15
   dot1x timeout supp-timeout 30
   dot1x timeout ratelimit-period 0
   dot1x max-req 2
   dot1x max-reauth-req 2
  trying to understand what parameter i need to change in order for Laptop/desktop coming from loosing access after going in to Sleepmode.
  Any help is appreciated.

  You might want to activate periodic authentication. I have not tested it myself, but I believe this should help.

• 802.11ac configuration issues

  Hi, I have the newest iMac 2013, MacBook Air 2013 and AirPort Extreme/TimeCapsule 3 TB, all 802.11ac compliant, but when I option-click on the network symbol in the menu bar on both computers, the PHY mode is displayed as being 802.11n. I have looked everywhere under System Preferences > Network, and throughout the AirPort Utility application 6.3.1 (running under OSX 10.8.5), but I cannot find any place where I may be able to select 802.11ac as the preferred network standard -- what am I missing/doing wrong here? Perhaps I should also mention that I have several other units connected to my network, all verified 802.11n compliant (1 x MacBook Pro 2012 + 1 x MacBook Pro 2009 + 3 x iPad2 + 1 x iPad3 + 2 x iPhone4 + 1 x AppleTV G3 (black) + 1 x TimeCapsule G2 (flat white) + 1 x AirPort Express + 1 x HP Color LaserJet 3700n), but that should have nothing to do with the 802.11ac communication capacity between the iMac, MacBook Air and TimeCapsule, right? Any advice that will set me straight would be much appreciated! :-)
  /Mark

  When I am in range of the AE the MBA automatically selected the 5 GHz band and displayed the 802.11AC mode, speed 896 Mb.  Of course when I move the MBA about two rooms distant it switches to 802.11n mode.
  Yes, in practice most will find that 802.11ac will only be practical when the router and the network client are in the same room. 802.11n, on the 5 GHz band, has a bit farther range but I would still recommend using it with clients that will be in the same room. This is basically the limitation of using a higher radio band, not necessarily whether it is "ac" or "n." The higher the frequency the more difficult it is for the signal to penetrate objects, like walls.

• Configuration Cisco switch 802.1x for ISE

  Hi dears,
  I configurated EAP_FAST authentication on Cisco ISE  from Cisco Video material. Now I need full 802.1X configuration in cisco switch  guide or video link.
  Please provide this.
  Thanks.

  See this link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• 802.1X IAS Switch 3750

  Hi,
  I am configuring authentication 802.1X in my Access Switchs. The switchs are WS-C3750G-24PS running C3750-IPBASEK9-M, Version 15.0(1)SE2, RELEASE SOFTWARE (fc3). The Radius server is a IAS server, in the IAS there is a Remote Policy with the Windows Group of the users and the atributtes Service Type (Frame), Tunnel-Medium-Type (802), Tunnel-Pvt-Group-ID (100) and Tunnel-Type (Vlan) were configured.
  The configuration in a switch is as follow:
  aaa new-model
  aaa session-id common
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  radius-server host 192.168.11.28 key 7 093204802934802934123132132123
  interface GigabitEthernet1/0/23
  switchport mode access
  authentication event fail retry 5 action authorize vlan 5
  authentication event no-response action authorize vlan 5
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout server-timeout 30
  dot1x timeout tx-period 2
  dot1x timeout supp-timeout 2
  dot1x max-reauth-req 10
  dot1x timeout held-period 300
  spanning-tree portfast
  end
  I have these logs, when I connect a workstation with 802.1x configured:
  016569: *Mar  2 04:07:37: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to up
  016570: *Mar  2 04:07:41: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
  016571: *Mar  2 04:07:41: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
  016572: *Mar  2 04:07:41: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
  016573: *Mar  2 04:08:09: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
  016574: *Mar  2 04:08:09: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
  Other show commands:
  Switch#show dot1x interface gigabitEthernet 1/0/23 detail
  Dot1x Info for GigabitEthernet1/0/23
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  QuietPeriod               = 5
  ServerTimeout             = 10
  SuppTimeout               = 2
  ReAuthMax                 = 10
  MaxReq                    = 2
  TxPeriod                  = 2
  Dot1x Authenticator Client List
  EAP Method                = (0)
  Supplicant                = 2965.0a1d.3431
  Session ID                = C0A813FD000000CF060CE68E
      Auth SM State         = HELD
      Auth BEND SM State    = IDLE
  Any idea?
  Any suggest?

  Hi Matthew,
  Please let me know what is the EAP method you are using ? (For eg; PEAP with EAP-MS-CHAPv2 .).
  The backend RADIUS server logs should have hint on why the 802.1x failed.
  If you are using PEAP with EAP-MSCHAPv2,
  1)  make sure whether the certificate on the RADIUS server is fine.
  2) check the config in the RADIUS server (reg what EAP methods are allowed ) and check the settings in the supplicant.
  3) Make sure that the CA certificate of the RADIUS server is trusted in the supplicant.
  4) Check the RADIUS server logs and the logs should give a hint regarding the issue.
  If needed, create a case with the respective RADIUS server vendor's TAC.
  Regards,
  Karthik Chandran

• Enable 802.11n - Need your inputs

  Okay Guys need your input
  I've heard that if you want to enable High Speed WLAN connection such as 802.11n you need to have you security settings as WPA2 and AES
  Is this true?

  Hi 
  Typically configuration guide - 802.11n configuration section listed this. Below is form 7.4 Config Guide section
  "The 802.11n high-throughput rates are available on all 802.11n access points for WLANs using WMM with no Layer 2 encryption or with WPA2/AES encryption enabled."
  Thanks for rating our responses as well. If this answer your query you can mark this thread as "Answered"
  HTH
  Rasika
  **** Pls rate all useful responses ****

• 802.1x and Cisco IP phones

  I have 802.1x configured on a Cisco 2950 switch. On ports where I have PCs plugged into the data port on the IP phones users sometimes get placed in the guest vlan. If they shut down their attached PC and then unplug the network cable (the one between the switch and the phone), then re-plug in the cable and boot their PC it seems to authenticate them again.... sometimes. The config for the ports with phones configured is as below:
  interface FastEthernet0/4
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 200
  switchport port-security
  switchport port-security maximum 2
  no ip address
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x guest-vlan 3
  spanning-tree portfast
  Does anyone have a possible fix or work around?
  Thanks in advance,
  Peter

  You can configure the MSFT supplicant to send an EAPOL-Logoff:
  Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
  0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the connection has already been authenticated with Machine credentials, the user’s credentials are not used for authentication.
  1: Machine authentication with re-authentication functionality. Whenever a user logs in, 802.1X authentication is performed using the user’s-credentials.
  2: Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.
  In the wired-Ethernet case you should set (SupplicantMode = 3) AND (AuthMode = 0) AND (disable Machine-Authentication OR ensure that there are no machine credentials on the client). This will ensure that when a user logs off, an EAPOL-Logoff will be sent out. So, AFAIK, this is the bad news .. you lose machine-auth.
  Actually, stay tuned for the ability for our IP Phones to be able to do this on behalf of a PC very soon. What will happen is when an IP Phone senses EAPOL through it, it will know who the supplicant is, and what port they're on (the phone's PC port). Assuming 2 conditions above, if link to phone's PC port goes down, IP Phone will transmit EAPOL-Logoff to PC immediately (on PCs behalf).
  Hope this helps.