Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

191

192

193

194

195

196

197

198

199

200

8-11

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 8 Configuring 802.1X Port-Based Authentication

Configuring 802.1X Authentication

802.1X Configuration Guidelines

These are the 802.1X authentication configuration guidelines:

• When 802.1X is enabled, ports are authenticated before any other Layer 2 feature is enabled.

• The 802.1X protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it is not

supported on these port types:

–

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X

is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, an error

message appears, and the port mode is not changed.

–

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk

port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is

not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, an error

message appears, and the port mode is not changed.

–

Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query

Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change

an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the

VLAN configuration is not changed.

–

EtherChannel port—Do not configure a port that is an active member of an EtherChannel as an

802.1X port. If 802.1X is enabled on a not-yet active port of an EtherChannel, the port does not

join the EtherChannel.

–

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can

enable 802.1X on a port that is a SPAN or RSPAN destination port. However, 802.1X is disabled

until the port is removed as a SPAN or RSPAN destination port. You can enable 802.1X on a

SPAN or RSPAN source port.

• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1X guest VLAN.

The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.

• When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

• The 802.1X with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with

dynamic-access port assignment through a VMPS.

Guest VLAN None specified.

Client timeout period 30 seconds (when relaying a request from the

authentication server to the client, the amount of time the

switch waits for a response before resending the request

to the client.)

Authentication server timeout period 30 seconds (when relaying a response from the client to

the authentication server, the amount of time the switch

waits for a reply before resending the response to the

server. This setting is not configurable.)

Table 8-1 Default 802.1X Configuration (continued)

Feature Default Setting