Cisco Systems 3560 Manual Do Utilizador

The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 
routed ports, but it is not supported on these port types:

Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message 
appears, and 802.1x authentication is not enabled. If you try to change the mode of 
an 802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk 
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears, 
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled 
port to dynamic, an error message appears, and the port mode is not changed.

Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN 
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not 
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error 
message appears, and the VLAN configuration is not changed.

EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an 
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel 
port, an error message appears, and 802.1x authentication is not enabled.

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can 
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. 
However, 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN 
destination port. You can enable 802.1x authentication on a SPAN or RSPAN source port.

Before globally enabling 802.1x authentication on a switch by entering the dot1x 
system-auth-control global configuration command, remove the EtherChannel configuration from 
the interfaces on which 802.1x authentication and EtherChannel are configured. 

These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and 
inaccessible authentication bypass:

When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal 
to a voice VLAN.

The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic 
ports, or with dynamic-access port assignment through a VMPS.

You can configure 802.1x authentication on a private-VLAN port, but do not configure 802.1x 
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user 
ACL on private-VLAN ports.

You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as 
an 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) 
or trunk ports; it is supported only on access ports.

After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you 
might need to get a host IP address from a DHCP server. You can change the settings for restarting 
the 802.1x authentication process on the switch before the DHCP process on the client times out and 
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x 
authentication process (authentication timer inactivity or dot1x timeout quiet-period) and 
authentication timer reauthentication or dot1x timeout tx-period) interface configuration 
commands). The amount to decrease the settings depends on the connected 802.1x client type. 

When configuring the inaccessible authentication bypass feature, follow these guidelines:

The feature is supported on 802.1x port in single-host mode and multihosts mode.