8-11
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication
IEEE 802.1x Configuration Guidelines
These are the IEEE 802.1x authentication configuration guidelines:
When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 or Layer 3 features
are enabled.
The IEEE 802.1x protocol is supported on Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on these port types:
Trunk port—If you try to enable IEEE 802.1x on a trunk port, an error message appears, and
IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to
trunk, an error message appears, and the port mode is not changed.
Dynamic-access ports—If you try to enable IEEE 802.1x on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel
port, an error message appears, and IEEE 802.1x is not enabled.
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port. However, IEEE
802.1x is disabled until the port is removed as a SPAN or RSPAN destination port. You can
enable IEEE 802.1x on a SPAN or RSPAN source port.
You can configure any VLAN except an RSPAN VLAN or a private VLAN.
The IEEE 802.1x with VLAN assignment feature is not supported on private-VLAN ports, trunk
ports, or ports with dynamic-access port assignment through a VMPS.
You can configure IEEE 802.1x on a private-VLAN port, but do not configure IEEE 802.1x with
port security on private-VLAN ports.
Before globally enabling IEEE 802.1x on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on
which IEEE 802.1x and EtherChannel are configured.

Maximum Number of Allowed Devices Per Port

This is the maximum number of devices allowed on an IEEE 802.1x-enabled port:
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one
IP phone is allowed for the voice VLAN.
In multihost mode, only one IEEE 802.1x supplicant is allowed on the port, but an unlimited number
of non-IEEE 802.1x hosts are allowed on the access VLAN. An unlimited number of devices are
allowed on the voice VLAN.