Filter
Top Products
8-10
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
78-17058-01
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
IEEE 802.1x Configuration Guidelines
These are the IEEE 802.1x authentication configuration guidelines:
• When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 or Layer 3 features
are enabled.
• The IEEE 802.1x protocol is supported on Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on these port types:
–
Trunk port—If you try to enable IEEE 802.1x on a trunk port, an error message appears, and
IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to
trunk, an error message appears, and the port mode is not changed.
–
Dynamic-access ports—If you try to enable IEEE 802.1x on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
–
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel
port, an error message appears, and IEEE 802.1x is not enabled.
–
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1x
is disabled until the port is removed as a SPAN or RSPAN destination port. You can enable IEEE
802.1x on a SPAN or RSPAN source port.
• You can configure any VLAN except an RSPAN VLAN or a private VLAN.
• The IEEE 802.1x with VLAN assignment feature is not supported on private-VLAN ports, trunk
ports, or ports with dynamic-access port assignment through a VMPS.
Quiet period 60 seconds (number of seconds that the switch remains in
the quiet state following a failed authentication exchange
with the client).
Retransmission time 30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before resending the request).
Maximum retransmission number 2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
Host mode Single-host mode.
Client timeout period 30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.)
Authentication server timeout period 30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
Table 8-2 Default IEEE 802.1x Configuration (continued)
Feature Default Setting