Cisco Systems WSC4500X16SFP Manual De Usuario
29-15
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication
How to Configure 802.1X
802.1X Configuration Guidelines
This section describes the guidelines for configuring 802.1X authentication:
•
The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on the following port types:
it is not supported on the following port types:
–
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
–
Default ports—All ports default as dynamic-access ports (auto). Use the no switchport
command to access a router port.
command to access a router port.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
–
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
–
Switched Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a
SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN
destination. You can enable 802.1X on a SPAN source port.
SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN
destination. You can enable 802.1X on a SPAN source port.
If you are planning to use either 802.1X accounting or VLAN assignment, be aware that both features
utilize general AAA commands. For information how to configure AAA, refer to “Enabling 802.1X
Authentication” on page 16 and “Enabling 802.1X Accounting” on page 19. Alternatively, you can refer
to the Cisco IOS security documentation.
utilize general AAA commands. For information how to configure AAA, refer to “Enabling 802.1X
Authentication” on page 16 and “Enabling 802.1X Accounting” on page 19. Alternatively, you can refer
to the Cisco IOS security documentation.
Refer to the following Cisco IOS security documentation for information on how to configure AAA
system accounting:
system accounting:
Client timeout period
30 sec
When relaying a request from the authentication server to the client,
the amount of time that the switch waits for a response before
retransmitting the request to the client.
the amount of time that the switch waits for a response before
retransmitting the request to the client.
Authentication server timeout period
30 sec
When relaying a response from the client to the authentication
server, the amount of time that the switch waits for a reply before
retransmitting the response to the server. This setting is not
configurable.
server, the amount of time that the switch waits for a reply before
retransmitting the response to the server. This setting is not
configurable.
Table 29-1 Default 802.1X Configuration (continued)
Feature
Default Setting