Cisco Systems 2960 Model Vehicle User Manual


  Open as PDF
of 1004
 
10-41
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the
switch:
This example shows how to enable a readiness check on a switch to query a port. It also shows the
response received from the queried port verifying that the device connected to it is 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/0/13
switch# dot1x test eapol-capable interface gigabitethernet0/13
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL
capable
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet0/13 is EAPOL
capable
Configuring Voice Aware 802.1x Security
Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.
You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a
security violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone
deployments where a PC is connected to the IP phone. A security violation found on the data VLAN
results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch
without interruption.
Follow these guidelines to configure voice aware 802.1x voice security on the switch:
You enable voice aware 802.1x security by entering the errdisable detect cause security-violation
shutdown vlan global configuration command. You disable voice aware 802.1x security by entering
the no version of this command. This command applies to all 802.1x-configured ports in the switch.
Note If you do not include the shutdown vlan keywords, the entire port is shut down when it enters the
error-disabled state.
Command Purpose
Step 1
dot1x test eapol-capable [interface
interface-id]
Enable the 802.1x readiness check on the switch.
(Optional) For interface-id specify the port on which to check for 802.1x
readiness.
Note If you omit the optional interface keyword, all interfaces on the
switch are tested.
Step 1
configure terminal (Optional) Enter global configuration mode.
Step 2
dot1x test timeout timeout (Optional) Configure the timeout used to wait for EAPOL response. The
range is from 1 to 65535 seconds. The default is 10 seconds.
Step 3
end (Optional) Return to privileged EXEC mode.
Step 4
show running-config (Optional) Verify your modified timeout values.