10-11
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter10 Configuring 802.1x Port -Based Authentication Configuring 802.1x Authentication
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x on a port that is a SPAN destination, an RSPAN destination, or an RSPAN
reflector port. However, 802.1x is disabled until the port is removed as a SPAN destination, an
RSPAN destination, or an RSPAN reflector port. You can enable 802.1x on a SPAN or RSPAN
source port.
LRE switch ports—802.1x is not supported on an LRE switch interface that is connected to a
Cisco 585 LRE CPE device.
You can configure any VLAN, except RSPAN VLANs or voice VVIDs, as an 802.1x guest VLAN.
The guest VLAN feature is not supported trunk ports; it is supported only on access ports.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VMPS.
Before globally enabling 802.1x on a switch by entering the dot1x syst em-auth-control global
configuration command, remove the EtherChannel configuration from t he i nte rface s o n
which 802.1x and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) applica tion for 8 02.1x
authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your switch is
running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or
later.
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can also change the settings for
restarting the 802.1x authentication process on the switch before the DHCP process on the client
times out and tries to get a host IP address from the DHCP server. Decrease the settings for the
802.1x authentication process (802.1x quiet period and switc h-to- cli ent t r ansmi ssion ti me).
Upgrading from a Previous Software Release
In Cisco IOS Release 12.1(14)EA1, the implementation for 802.1x changed from the previous release.
Some global configuration commands became interface configuration c om mand s, an d n ew comma nd s
were added.
If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later,
the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade
is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global
configuration command. If 802.1x was running in multiple-hosts mod e on an i nte rface in the p revious
release, make sure to reconfigure it by using the dot1x host-mode multi-host interface configuration
command.
Enabling 802.1x Authentication
To enable 802.1x port-based authentication, you must enable AAA and specify the authentication
method list. A method list describes the sequence and authent icat ion me thods to be quer i ed to
authenticate a user.
The software uses the first method listed to authenticate users; if that method fails to respond, the
software selects the next authentication method in the method list. This process continues until the re is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentica tion process st ops, and no oth er
authentication methods are attempted.