29-15
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication
How to Configure 802.1X
802.1X Configuration Guidelines
This section describes the guidelines for configuring 802.1X authentication:
The 802.1X protocol is supported on both Layer 2 static-a ccess ports and Layer 3 routed ports, but
it is not supported on the following port types:
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
Default ports—All ports default as dynamic-access ports (a uto). Use the no switchport
command to access a router port.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1X on a dynamic port, an e rror message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
EtherChannel. If you try to enable 802.1X on an EtherC hannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled . If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
Switched Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a
SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN
destination. You can enable 802.1X on a SPAN source port.
If you are planning to use either 802.1X accounting or VLAN assignment, be aware that both features
utilize general AAA commands. For information how to configure AAA, refer to “Enabling 802.1X
Authentication” on page 16 and “Enabling 802.1X Accountin g” on page 19. Alternatively, you can refer
to the Cisco IOS security documentation.
Refer to the following Cisco IOS security documentation for informatio n on how to configure AAA
system accounting:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
Client timeout period 30 sec
When relaying a request from the authentication server to the client,
the amount of time that the switch waits for a response before
retransmitting the request to the client.
Authentication server timeout period 30 sec
When relaying a response from the client to the authentication
server, the amount of time that the switch waits for a reply before
retransmitting the response to the server. This setting is not
configurable.
Table29-1 Default 802.1X Configuration (continued)
Feature Default Setting