10-32
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message
appears, and 802.1x authentication is not enabled. If you try to change the mode of
an 802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled
port to dynamic, an error message appears, and the port mode is not changed.
Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port.
However, 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN
destination port. You can enable 802.1x authentication on a SPAN or RSPAN source port.
Before globally enabling 802.1x authentication on a switch by entering the dot1x
system-auth-control global configuration command, remove the EtherChannel configuration from
the interfaces on which 802.1x authentication and EtherChannel are configured.
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
You can configure 802.1x authentication on a private-VLAN port, but do not configure 802.1x
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user
ACL on private-VLAN ports.
You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as
an 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports)
or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting
the 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x
authentication process (authentication timer inactivity or dot1x timeout quiet-period) and
authentication timer reauthentication or dot1x timeout tx-period) interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
When configuring the inaccessible authentication bypass feature, follow these guidelines:
The feature is supported on 802.1x port in single-host mode and multihosts mode.