10-55
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command.
The port returns to the unauthorized state.
This example shows how to enable VLAN 2 as an 802.1x guest VLAN:
Switch(config)# interface gigabitethernet2/0/2
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# dot1x guest-vlan 2
This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that
the switch waits for a response to an EAP-request/identity frame from the client before re-sending the
request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP
client:
Switch(config-if)# dot1x timeout quiet-period 3
Switch(config-if)# dot1x timeout tx-period 15
Switch(config-if)# dot1x guest-vlan 2
Configuring a Restricted VLAN
When you configure a restricted VLAN on a switch stack or a switch, clients that are 802.1x-compliant
are moved into the restricted VLAN when the authentication server does not receive a valid username
and password. The switch supports restricted VLANs only in single-host mode.
Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure
is optional.
Step 7 show authentication interface-id
or
show dot1x interface interface-id
Verify your entries.
Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
For the supported port types, see the “802.1x Authentication
Configuration Guidelines” section on page 10-38.
Step 3 switchport mode access Set the port to access mode.
Step 4 authentication port-control auto
or
dot1x port-control auto
Enable 802.1x authentication on the port.
Step 5 authentication event fail action
authorize vlan-id
Specify an active VLAN as an 802.1x restricted VLAN. The range is
1 to 4094.
You can configure any active VLAN except an RSPAN VLAN or a voice
VLAN as an 802.1x restricted VLAN.
Step 6 end Return to privileged EXEC mode.