10-38
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
802.1x Authentication Configuration Guidelines
These section has configuration guidelines for these features:
802.1x Authentication, page 10-38
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass,
page 10-39
MAC Authentication Bypass, page 10-40
Maximum Number of Allowed Devices Per Port, page 10-40

802.1x Authentication

When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2
feature is enabled.
If you try to change the mode of an 802.1x-enabled port (for example, from acce ss to trunk), an error
message appears, and the port mode is not changed.
If the VLAN to which an 802.1x-enabled port is assi gned changes, this change is transparent and
does not affect the switch. For example, this change occurs if a p ort is assigned to a RADIUS
server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port
becomes unauthorized. For example, the port is unauthorized after the access VLA N to which a port
is assigned shuts down or is removed.
The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it
is not supported on these port types:
Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message
appears, and 802.1x authentication is not enabled. If you try to change the mode of
an 802.1x-enabled port to trunk, an error message appea rs, and the port mode is not changed.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled
port to dynamic, an error message appears, and the port mode is not changed .
Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 80 2.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
MAC authentication bypass Disabled.
Voice-aware security Disabled
Table 10-4 Default 802.1x Authentication Configuration (continued)
Feature Default Setting