◦ Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable
802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x
authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You
can enable 802.1x authentication on a SPAN or RSPAN source port.
•
Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x authentication and EtherChannel are configured.
•
Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible
authentication bypass:
•
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
•
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
•
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported
only on access ports.
•
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might
need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x
authentication process on the switch before the DHCP process on the client times out and tries to get a
host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process
(authentication timer inactivity and authentication timer reauthentication interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
•
When configuring the inaccessible authentication bypass feature, follow these guidelines:
◦
The feature is supported on 802.1x port in single-host mode and multihosts mode.
◦
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
◦
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration
process.
◦
You can configure the inaccessible authentication bypass feature and the restricted VLAN on an
802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the
RADIUS servers are unavailable, switch changes the port state to the critical authentication state
and remains in the restricted VLAN.
◦
If the CTS links are in Critical Authentication mode and the master reloads, the policy where SGT
was configured on a device will not be available on the new master. This is because the internal
bindings will not be synced to the standby switch in a 3750-X switch stack.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 299
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication Configuration Guidelines
To Next Page
Loading...
Need help?
General
Weight and Dimensions
