25-6
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 25 Configuring IEEE 802.1X Port-Based Authentication
802.1X Port-Based Authentication Guidelines and Restrictions
802.1X Port-Based Authentication Guidelines and Restrictions
Follow these guidelines and restrictions when configuring 802.1X port-based authentication:
• When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
• The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on these port types:
–
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
–
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
EtherChannel port-channel interface. If you try to enable 802.1X on an EtherChannel
port-channel interface or on an individual active port in an EtherChannel, an error message
appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active individual port of
an EtherChannel, the port does not join the EtherChannel.
–
Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X
on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an
802.1X-enabled port to a secure port, an error message appears, and the security settings are not
changed.
–
Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN
destination port; however, 802.1X is disabled until the port is removed as a SPAN destination
port. You can enable 802.1X on a SPAN source port.
Retransmission time 30 seconds (number of seconds that the router should
wait for a response to an EAP request/identity frame
from the client before retransmitting the request)
Maximum retransmission number 2 times (number of times that the router will send an
EAP-request/identity frame before restarting the
authentication process)
Multiple host support Disabled
Client timeout period 30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
router waits for a response before retransmitting the
request to the client)
Authentication server timeout period 30 seconds (when relaying a response from the client to
the authentication server, the amount of time the router
waits for a reply before retransmitting the response to the
server)
Table 25-1 Default 802.1X Configuration (continued)
Feature Default Setting
To Next Page
Loading...
Need help?
General
