10-12
Catalyst 3750 Switch Software Configuration Guide
78-16180-02
Chapter 10 Configuring 802.1x Port-Based Authentication
Configuring 802.1x Authentication
802.1x Configuration Guidelines
These are the 802.1x authentication configuration guidelines:
• When 802.1x is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
• The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
–
Trunk port—If you try to enable 802.1x on a trunk port, an error message appears, and 802.1x
is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, an error
message appears, and the port mode is not changed.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x on a dynamic port, an error message appears, and 802.1x is not
enabled. If you try to change the mode of an 802.1x-enabled port to dynamic, an error message
appears, and the port mode is not changed.
–
Dynamic-access ports—If you try to enable 802.1x on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and 802.1x is not enabled. If you try to change
an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
–
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x on an EtherChannel port, an error
message appears, and 802.1x is not enabled.
Note In software releases earlier than Cisco IOS Release 12.2(18)SE, if 802.1x is enabled on
a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
–
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x on a port that is a SPAN or RSPAN destination port. However, 802.1x is disabled
until the port is removed as a SPAN or RSPAN destination port. You can enable 802.1x on a
SPAN or RSPAN source port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
Host mode Single-host mode.
Guest VLAN None specified.
Client timeout period 30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.)
Authentication server timeout period 30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
Table 10-1 Default 802.1x Configuration (continued)
Feature Default Setting
To Next Page
Loading...
Need help?
General