When per host authentication is first enabled, all MAC addresses on the port are denied. The user can allow MAC addresses using the static source MAC or dot1x host authentication. The following considerations apply when dot1x authentication is used.
If the 802.1x authentication mode is configured as force-auth (using the command config>port>ethernet>dot1x port-control), any host that sends EAPOL frames is authenticated without requiring any exchange with the RADIUS server.
If config>system>security dot1x is configured as shutdown, the port behavior is the same as in the force-auth case.
If the 802.1x authentication mode is configured as auto, the hosts are authenticated using RADIUS. However, if config>system>security dot1x is configured as shutdown, the force-auth behavior takes effect.