IBM 12.1(22)EA6 Benutzerhandbuch
6-12
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
IEEE 802.1x Configuration Guidelines
These are the IEEE 802.1x authentication configuration guidelines:
•
When IEEE 802.1x is enabled, ports are authenticated before any other Layer 2 features are enabled.
•
The IEEE 802.1x protocol is supported on Layer 2 static-access ports and voice VLAN ports, but it
is not supported on these port types:
is not supported on these port types:
–
Trunk port—If you try to enable IEEE 802.1x on a trunk port, an error message appears, and
IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to
trunk, the port mode is not changed.
IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to
trunk, the port mode is not changed.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable IEEE 802.1x on a dynamic port, an error message appears, and IEEE
802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic,
the port mode is not changed.
port. If you try to enable IEEE 802.1x on a dynamic port, an error message appears, and IEEE
802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic,
the port mode is not changed.
–
Dynamic-access ports—If you try to enable IEEE 802.1x on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
Protocol [VQP]) port, an error message appears, and IEEE 802.1x is not enabled. If you try to
change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears,
and the VLAN configuration is not changed.
–
EtherChannel ports—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel
port, an error message appears, and IEEE 802.1x is not enabled.
EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel
port, an error message appears, and IEEE 802.1x is not enabled.
–
IEEE Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You
cannot enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port or that is an
RSPAN reflector port. However, you can enable IEEE 802.1x on a SPAN or RSPAN source
port.
cannot enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port or that is an
RSPAN reflector port. However, you can enable IEEE 802.1x on a SPAN or RSPAN source
port.
•
You can configure any VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
Retransmission time
30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before resending the request).
wait for a response to an EAP request/identity frame
from the client before resending the request).
Maximum retransmission number
2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
EAP-request/identity frame before restarting the
authentication process).
Host mode
Single-host mode.
Guest VLAN
None specified.
Client timeout period
30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.
Authentication server timeout period
30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
Table 6-2
Default IEEE 802.1x Configuration (continued)
Feature
Default Setting