46-59
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
%PM-4-ERR_DISABLE: security-violation error detected on <interface name>, putting
<interface name> in err-disable state
Configuring 802.1X with Guest VLANs
You can configure a guest VLAN for each 802.1X port on the Catalyst 4500 series switch to provide
limited services to clients, such as downloading the 802.1X client. These clients might be upgrading
their system for 802.1X authentication, and some hosts, such as Windows 98 systems, might not be
802.1X-capable.
When you enable a guest VLAN on an 802.1X port, the Catalyst 4500 series switch assigns clients to a
guest VLAN, provided one of the following apply:
• The authentication server does not receive a response to its EAPOL request or identity frame.
• The EAPOL packets are not sent by the client.
Beginning with Cisco IOS Release 12.2(25)EWA, the Catalyst 4500 series switch maintains the EAPOL
packet history. If another EAPOL packet is detected on the interface during the lifetime of the link,
network access is denied. The EAPOL history is reset upon loss of the link.
Any number of 802.1X-incapable clients are allowed access when the switch port is moved to the guest
VLAN. If an 802.1X-capable client joins the same port on which the guest VLAN is configured, the port
is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.
Note When a port is put into a guest VLAN, it is automatically placed into multihost mode, and an unlimited
number of hosts can connect using the port. Changing the multihost configuration does not effect a port
in a guest VLAN.
Note Except for an RSPAN VLAN or a voice VLAN, you can configure any active VLAN as an 802.1X guest
VLAN.
To configure 802.1X with guest VLAN on a port, perform this task:
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# interface
interface-id
Enters interface configuration mode and specifies the interface to be
enabled for 802.1X authentication.
Step 3
Switch(config-if)# switchport mode
access
or
Switch(config-if)# switchport mode
private-vlan host
Specifies a nontrunking, nontagged single VLAN Layer 2 interface.
Specifies that the ports with a valid PVLAN trunk association become active
host PVLAN trunk ports.
Step 4
Switch(config-if)# dot1x pae
authenticator
Enables 802.1X authentication on the port with default parameters.
Refer to the “Default 802.1X Configuration” section on page 46-30.
To Next Page
Loading...
Need help?
General
