1-40
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
• When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the
switch grants the phones network access without authenticating them. We recommend that you use
multidomain authentication (MDA) on the port to authenticate both a data device and a voice device,
such as an IP phone.
Note Only Catalyst 3750, 3560, and 2960 switches support CDP bypass. The Catalyst 3750-X,
3560-X, 3750-E, and 3560-E switches do not support CDP bypass.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication. See the “Authentication Manager CLI Commands” section on page 1-9.
Note This switch does not support Cisco Discovery Protocol (CDP) bypass.
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
• You can configure 802.1x authentication on a private-VLAN port, but do not configure IEEE 802.1x
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user
ACL on private-VLAN ports.
• You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or
trunk ports; it is supported only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting
the 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x
authentication process (authentication timer inactivity and authentication timer
reauthentication interface configuration commands). The amount to decrease the settings depends
on the connected 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
–
The feature is supported on 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
–
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
To Next Page
Loading...
Need help?
General
