Specifications

ManualsBrandsCisco ManualsComputer equipment2955T 12 - Catalyst Switch

221

222

223

224

225

226

227

228

229

230

10-9

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

78-11380-07

Chapter 10 Configuring 802.1X Port-Based Authentication

Configuring 802.1X Authentication

802.1X Configuration Guidelines

These are some configuration guidelines and operating characteristics of 802.1X authentication:

• When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled.

• The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port

types:

–

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X

is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode

is not changed.

–

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk

port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is

not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode

is not changed.

–

Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query

Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change

an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the

VLAN configuration is not changed.

–

EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the

EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an

EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a

not-yet active port of an EtherChannel, the port does not join the EtherChannel.

–

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can

enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However,

802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port.

You can enable 802.1X on a SPAN or RSPAN source port.

• For switches running the EI, if you try to enable 802.1X on a secure port without enabling the

multiple-hosts mode, the switch returns an error message, and 802.1X is not enabled. If you try to

change an 802.1X-enabled port to a secure port without enabling the multiple-hosts mode, the

switch returns an error message, and the security settings are not changed.

• When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a

voice VLAN.

Enabling 802.1X Authentication

To enable 802.1X port-based authentication, you must enable AAA and specify the authentication

method list. A method list describes the sequence and authentication methods to be queried to

authenticate a user.

The software uses the first method listed to authenticate users; if that method fails to respond, the

software selects the next authentication method in the method list. This process continues until there is

successful communication with a listed authentication method or until all defined methods are

exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other

authentication methods are attempted.

To allow VLAN assignment (for switches running the EI), you need to enable AAA authorization to

configure the switch for all network-related service requests.