Cisco Systems, Inc.
www.cisco.com
Access Control on the Wired Network
This workflow describes a phased approach to deploy IEEE 802.1x port-based authentication to provide
secure and identity-based access control at the edge of the switch stack network.
Prerequisites for Access Control on the Wired Network
• Before globally enabling IEEE 802.1x authentication, remove the EtherChannel configuration from
all of the interfaces.
• Define the authenticator (switch) to RADIUS server communication.
• Initiate Extensible Authentication Protocol (EAP) over LAN (EAPoL) messaging to successfully
authenticate the end device (or supplicant).
• Based on your requirements, choose an appropriate EAP method. For information, see the Wired
802.1x Deployment Guide.
• Automate the certificate enrollment process for supplicants, as described in the Certificate
Autoenrollment in Windows Server 2003.
• Enable machine authentication for end points, such as printers, to ensure that user login is supported.
Restrictions for Access Control on the Wired Network
• You cannot configure an IEEE 802.1x port that is a member of an EtherChannel.
• Destination ports configured with Switched Port Analyzer (SPAN) and remote SPAN (RSPAN)
cannot be enabled with IEEE 802.1x authentication.
• You cannot enable an IEEE 802.1x port on trunk or dynamic ports. Dynamic ports can negotiate with
its neighbors to become a trunk.
• Do not use port security with IEEE 802.1x. When IEEE 802.1x is enabled, port security then
becomes redundant and might interfere with the IEEE 802.1x functionality.
Identify Configuration Values
To Next Page
Loading...
Need help?
General