Filter
Top Products
9-14
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
IEEE 802.1x Authentication
These are the IEEE 802.1x authentication configuration guidelines:
• When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2
features are enabled.
• The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it
is not supported on these port types:
–
Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message
appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an
IEEE 802.1x-enabled port to trunk, the port mode is not changed.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable IEEE 802.1x authentication on a dynamic port, an error message
appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an
IEEE 802.1x-enabled port to dynamic, the port mode is not changed.
–
Dynamic-access ports—If you try to enable IEEE 802.1x authentication on a dynamic-access
(VLAN Query Protocol [VQP]) port, an error message appears, and IEEE 802.1x authentication
is not enabled. If you try to change an IEEE 802.1x-enabled port to dynamic VLAN assignment,
an error message appears, and the VLAN configuration is not changed.
–
EtherChannel ports—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an
EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
–
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You cannot
enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port or that
is an RSPAN reflector port. However, you can enable IEEE 802.1x authentication on a SPAN or
RSPAN source port.
–
LRE switch ports—802.1x is not supported on an LRE switch interface that is connected to a
Cisco
585 LRE CPE device.
• Before globally enabling IEEE 802.1x authentication on a switch by entering the dot1x
system-auth-control global configuration command, remove the EtherChannel configuration from
the interfaces on which
IEEE 802.1x authentication and EtherChannel are configured.
• If you are using a device running the Cisco Access Control Server (ACS) application for
IEEE
802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your
switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS
Version 3.2.1 or later.
VLAN Assignment, Guest VLAN, and Restricted VLAN
These are the configuration guidelines for VLAN assignment, guest VLAN, and restricted VLAN:
• When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is
equal to a voice VLAN.
• The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports,
dynamic ports, or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
• After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected,
you might need to get a host IP address from a DHCP server. You can also change the settings for
restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the