10-10
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter10 Configuring 802.1x Port-Based Authentication
Configuring 802.1x Authentication
802.1x Configuration Guidelines
These are the 802.1x authentication configuration guidelines:
When 802.1x is enabled, ports are authenticated before any other Layer 2 features are enabled.
The 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN por ts, but it is not
supported on these port types:
Trunk port—If you try to enable 802.1x on a trunk port, an error message appea rs, an d 80 2.1 x
is not enabled. If you try to change the mode of an 802. 1x-enabled port to trunk, the port mode
is not changed.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x on a dynamic port, an error message appe ars, and 802.1x is not
enabled. If you try to change the mode of an 802.1 x-enabled port to dynamic, the port mode is
not changed.
Dynamic-access ports—If you try to enable 802.1x on a dynamic -ac cess ( VLA N Q uery
Protocol [VQP]) port, an error message appears, and 802.1x is not enabled. If you try to change
an 802.1x-enabled port to dynamic VLAN assignment, an err or me ssage appe ars, a nd t he
VLAN configuration is not changed.
EtherChannel ports—Do not configure a port that is an active or a not-yet- active member of an
EtherChannel as an 802.1x port. If you try to enab le 8 02. 1x on a n Ethe rC han ne l po rt, an e rro r
message appears, and 802.1x is not enabled.
Quiet period 60 seconds (number of seconds that the switch remains in
the quiet state following a failed authentication exchange
with the client).
Retransmission time 30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before resending the request).
Maximum retransmission number 2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
Host mode Single-host mode.
Guest VLAN None specified.
Client timeout period 30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.
Authentication server timeout period 30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
Table10-1 Default 802.1x Configuration (continued)
Feature Default Setting