10-39
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
–
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
–
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port.
However, 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN
destination port. You can enable 802.1x authentication on a SPAN or RSPAN source port.
• Before globally enabling 802.1x authentication on a switch by entering the dot1x
system-auth-control global configuration command, remove the EtherChannel configuration from
the interfaces on which 802.1x authentication and EtherChannel are configured.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication. See the “Authentication Manager CLI Commands” section on page 10-10.
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting
the 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x
authentication process (authentication timer inactivity or dot1x timeout quiet-period) and
authentication timer reauthentication or dot1x timeout tx-period) interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
–
The feature is supported on 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
–
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
–
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all
the RADIUS servers are unavailable, switch changes the port state to the critical authentication
state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted
VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only on access
ports.