Cisco Systems 3560-X, 3750-X Configuring Voice Aware 802.1x Security

11-39

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication

Follow these guidelines to enable the readiness check on the switch:

• The readiness check is typically used before 802.1x is enabled on the switch.

• If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface,

all the ports on the switch stack are tested.

• When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link

comes up, the port queries the connected client about its 802.1x capability. When the client responds

with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds

within the timeout period. If the client does not respond to the query, the client is not

802.1x-capable. No syslog message is generated.

• The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is

connected to an IP phone). A syslog message is generated for each of the clients that respond to the

readiness check within the timer period.

Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the

switch:

This example shows how to enable a readiness check on a switch to query a port. It also shows the

response received from the queried port verifying that the device connected to it is 802.1x-capable:

switch# dot1x test eapol-capable interface gigabitethernet1/0/13

DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL

capable

Configuring Voice Aware 802.1x Security

You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a

security violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone

deployments where a PC is connected to the IP phone. A security violation found on the data VLAN

results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch

without interruption.

Follow these guidelines to configure voice aware 802.1x voice security on the switch:

• You enable voice aware 802.1x security by entering the reducible detect cause security-violation

shutdown vlan global configuration command. You disable voice aware 802.1x security by entering

the no version of this command. This command applies to all 802.1x-configured ports in the switch.

Command Purpose

Step 1 dot1x test eapol-capable [interface

interface-id]

Enable the 802.1x readiness check on the switch.

(Optional) For interface-id specify the port on which to check for

IEEE 802.1x readiness.

Note If you omit the optional interface keyword, all interfaces on the

switch are tested.

Step 1 configure terminal (Optional) Enter global configuration mode.

Step 2 dot1x test timeout timeout (Optional) Configure the timeout used to wait for EAPOL response. The

range is from 1 to 65535 seconds. The default is 10 seconds.

Step 3 end (Optional) Return to privileged EXEC mode.

Step 4 show running-config (Optional) Verify your modified timeout values.