Implementing IEEE 802.1X with Wake on LAN

Wake on LAN (WoL) is a technology that allows a networked computer to be turned on remotely. It typically involves sending a WoL magic packet to the computer's MAC address to trigger the wake-up process.

The 802.1X standard is implemented to block traffic between the unauthenticated clients and network resources. This means that unauthenticated clients cannot communicate with any device on the network except the authenticator. The reverse is true, except for one circumstance, when the port is configured as a unidirectional controlled port.

Unidirectional State

The IEEE 802.1x standard states that a unidirectional controlled port enables a device on the network to?wake up?a client so that the client continues to be reauthenticated. When you use the?authentication (access-session) control-direction in?command to configure the port as unidirectional, the port changes to the spanning-tree forwarding state, thus allowing a device on the network to wake the client and force it to reauthenticate (it also assists in MAB process for certain types of devices that doesn’t generate much traffic on its own without network request from another host).

Bidirectional State

When you use the?authentication (access-session) control-direction both?command to configure a port as bidirectional, access to the port is controlled in both directions. In this state, the port does not receive or send packets (that means that before the supplicant is authenticated, traffic cannot be sent to or from the port). By default, the control-direction type is “both”:

Still, the switch applies the ACL just on the "in" direction. It does not matter which mode is used. That basically means that after authentication the ACL is applied for traffic to the port (in direction) and all traffic is permitted from the port (out direction).