Cisco Systems 2940 802.1X Configuration Guidelines, Upgrading from a Previous Software Release

8-8

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter8 Configuring 802.1X Port-Based Authentication

Configuring 802.1X Authentication

802.1X Configuration Guidelines

These are the 802.1X authentication configuration guidelines:

•When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are

enabled.

•The 802.1X protocol is supported on Layer 2 static-access ports and voice VLAN ports, Layer 2

static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on thes e port

types:

–

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X

is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode

is not changed.

–

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk

port. If you try to enable 802.1X on a dynamic port, an e rror m essage app ears, and 80 2. 1X i s

not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode

is not changed.

–

Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query

Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change

an 802.1X-enabled port to dynamic VLAN assignment, a n error m es sag e ap pe ars, an d th e

VLAN configuration is not changed.

–

EtherChannel port—Before enabling 802.1X on the port, you must first re m ove it from the

EtherChannel. If you try to enable 802.1X on an EtherC hanne l or o n a n active port i n a n

EtherChannel, an error message appears, and 802.1X is not enabled . If you enable 802.1X on a

not-yet active port of an EtherChannel, the port does not join the EtherChannel.

–

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can

enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However,

802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port.

You can enable 802.1X on a SPAN or RSPAN source port.

–

LRE switch ports—802.1X is not supported on an LRE switch interface that is connected to a

Cisco 585 LRE CPE device.

•You can configure any VLAN, except RSPAN VLANs or voice VVIDs, as an 802.1X guest VLAN.

The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is

supported only on access ports.

•When 802.1X is enabled on a port, you cannot configure a po rt VLAN that i s equal to a v oice VL AN.

•The 802.1X with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with

dynamic-access port assignment through a VMPS.

Upgrading from a Previous Software Release

In Cisco IOS Release 12.1(19)EA1, the implementation for 8 02.1X changed from the previous release.

Some global configuration commands became interface configuration c om mand s, an d n ew comma nd s

were added.

If you have 802.1X configured on the switch and you upgrade to Cisco IO S Rel ease 1 2.1(14 )E A1 o r

later, the configuration file will not contain the new commands, and 802.1X will not operate. After the

upgrade is complete, make sure to globally enable 802.1X by usin g t he dot1x system-auth-control