Cisco Catalyst 3560-X Software Configuration Manual page 328
Hide thumbs
Also See for Catalyst 3560-X:
- Command reference manual (1188 pages) ,
- Software configuration manual (1438 pages) ,
- Manual (276 pages)
Table of Contents
Advertisement
Configuring 802.1x Authentication
•
•
This switch does not support Cisco Discovery Protocol (CDP) bypass.
Note
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
•
•
•
•
•
•
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-40
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the
switch grants the phones network access without authenticating them. We recommend that you use
multidomain authentication (MDA) on the port to authenticate both a data device and a voice device,
such as an IP phone.
Only Catalyst 3750, 3560, and 2960 switches support CDP bypass. The Catalyst 3750-X,
Note
3560-X, 3750-E, and 3560-E switches do not support CDP bypass.
Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication. See the
"Authentication Manager CLI Commands" section on page
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
You can configure 802.1x authentication on a private-VLAN port, but do not configure IEEE 802.1x
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user
ACL on private-VLAN ports.
You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or
trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can change the settings for restarting
the 802.1x authentication process on the switch before the DHCP process on the client times out and
tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x
authentication process (authentication timer inactivity and authentication timer
reauthentication interface configuration commands). The amount to decrease the settings depends
on the connected 802.1x client type.
When configuring the inaccessible authentication bypass feature, follow these guidelines:
The feature is supported on 802.1x port in single-host mode and multihosts mode.
–
If the client is running Windows XP and the port to which the client is connected is in the
–
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
–
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
Chapter 1
Configuring IEEE 802.1x Port-Based Authentication
1-9.
OL-25303-03
Advertisement
Table of Contents
Troubleshooting
