Cisco Systems 3560X, 3750-X, WSC3750X48TS Configuring 802.1x Readiness Check

11-38

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

–

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,

receiving an EAP-Success message on a critical port might not re-initiate the DHCP

configuration process.

–

You can configure the inaccessible authentication bypass feature and the restricted VLAN on

an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all

the RADIUS servers are unavailable, switch changes the port state to the critical authentication

state and remains in the restricted VLAN.

–

You can configure the inaccessible bypass feature and port security on the same switch port.

• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted

VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk

ports; it is supported only on access ports.

These are the MAC authentication bypass configuration guidelines:

• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x

authentication guidelines. For more information, see the “802.1x Authentication” section on

page 11-36.

• If you disable MAC authentication bypass from a port after the port has been authorized with its

MAC address, the port state is not affected.

• If the port is in the unauthorized state and the client MAC address is not the authentication-server

database, the port remains in the unauthorized state. However, if the client MAC address is added to

the database, the switch can use MAC authentication bypass to re-authorize the port.

• If the port is in the authorized state, the port remains in this state until re-authorization occurs.

This is the maximum number of devices allowed on an 802.1x-enabled port:

• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with

a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice

VLAN.

• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one

IP phone is allowed for the voice VLAN.

• In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of

non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on

the voice VLAN.

Configuring 802.1x Readiness Check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information

about the devices connected to the ports that support 802.1x. You can use this feature to determine if the

devices connected to the switch ports are 802.1x-capable.

The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness

check is not available on a port that is configured as dot1x force-unauthorized.