Filter
Top Products
9-12
Catalyst 2960 Switch Software Configuration Guide
78-16881-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
IEEE 802.1x Configuration Guidelines
These are the IEEE 802.1x authentication configuration guidelines:
• When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 feature is enabled.
• The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it
is not supported on these port types:
–
Trunk port—If you try to enable IEEE 802.1x on a trunk port, an error message appears, and
IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to
trunk, an error message appears, and the port mode is not changed.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable IEEE 802.1x on a dynamic port, an error message appears, and IEEE
802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic,
IEEE 802.an error message appears, and the port mode is not changed.
–
Dynamic-access ports—If you try to enable IEEE 802.1x on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
–
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel
port, an error message appears, and IEEE 802.1x is not enabled.
–
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1x
is disabled until the port is removed as a SPAN or RSPAN destination port. You can enable IEEE
802.1x on a SPAN or RSPAN source port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
• When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice
VLAN.
• The IEEE 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or
with dynamic-access port assignment through a VMPS.
• Before globally enabling IEEE 802.1x on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on
which IEEE 802.1x and EtherChannel are configured.
• After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected,
you might need to get a host IP address from a DHCP server. You can change the settings for
restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the
client times out and tries to get a host IP address from the DHCP server. Decrease the settings for
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.