Cisco Systems 3560 사용자 설명서
10-33
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
–
If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
critical-authentication state, Windows XP might report that the interface is not authenticated.
–
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
–
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all
the RADIUS servers are unavailable, switch changes the port state to the critical authentication
state and remains in the restricted VLAN.
an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all
the RADIUS servers are unavailable, switch changes the port state to the critical authentication
state and remains in the restricted VLAN.
–
You can configure the inaccessible bypass feature and port security on the same switch port.
•
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted
VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
•
Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
authentication guidelines. For more information, see the
authentication guidelines. For more information, see the
•
If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
MAC address, the port state is not affected.
•
If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added to
the database, the switch can use MAC authentication bypass to re-authorize the port.
database, the port remains in the unauthorized state. However, if the client MAC address is added to
the database, the switch can use MAC authentication bypass to re-authorize the port.
•
If the port is in the authorized state, the port remains in this state until re-authorization occurs.
•
You can configure a timeout period for hosts that are connected by MAC authentication bypass but
are inactive. The range is 1to 65535 seconds. You must enable port security before configuring a
time out value. For more information, see the
are inactive. The range is 1to 65535 seconds. You must enable port security before configuring a
time out value. For more information, see the
Maximum Number of Allowed Devices Per Port
This is the maximum number of devices allowed on an 802.1x-enabled port:
•
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
•
In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one
IP phone is allowed for the voice VLAN.
IP phone is allowed for the voice VLAN.
•
In multiple-host mode, only one 802.1x supplicant is allowed on the port, but an unlimited number
of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed
on the voice VLAN.
of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed
on the voice VLAN.