10-38
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
802.1x Authentication Configuration Guidelines
• 802.1x Authentication, page 10-38
• VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass,
page 10-39
• MAC Authentication Bypass, page 10-40
• Maximum Number of Allowed Devices Per Port, page 10-40
802.1x Authentication
• When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2
feature is enabled.
• If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and
does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS
server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port
becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port
is assigned shuts down or is removed.
• The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it
is not supported on these port types:
–
Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
Client timeout period 30 seconds (when relaying a request from the authentication server to the
client, the amount of time the switch waits for a response before resending the
request to the client.)
Authentication server timeout period 30 seconds (when relaying a response from the client to the authentication
server, the amount of time the switch waits for a reply before resending the
response to the server.)
You can change this timeout period by using the authentication timer server
interface configuration command.
Inactivity timeout Disabled.
Guest VLAN None specified.
Inaccessible authentication bypass Disabled.
Restricted VLAN None specified.
Authenticator (switch) mode None specified.
MAC authentication bypass Disabled.
Voice-aware security Disabled
Table 10-4 Default 802.1x Authentication Configuration (continued)
Feature Default Setting
To Next Page
Loading...
Need help?
General
