Configuring IEEE 802.1x Authentication
VLAN Assignment and Guest VLAN
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
•
•
•
•
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
•
•
•
•
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the
"Default IEEE 802.1x Authentication Configuration" section on page
Upgrading from a Previous Software Release
When IEEE 802.1x authentication is enabled, information about Port Fast is no longer added to the
configuration and this information appears in the running configuration:
dot1x pae authenticator
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
Catalyst 2928 Switch Software Configuration Guide
9-20
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is
equal to a voice VLAN.
The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports,
dynamic ports, or with dynamic-access port assignment through a VMPS.
You can configure any VLAN except a voice VLAN as an IEEE 802.1x guest VLAN. The guest
VLAN feature is not supported on trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected,
you might need to get a host IP address from a DHCP server. You can change the settings for
restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the
client times out and tries to get a host IP address from the DHCP server. Decrease the settings for
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x
authentication guidelines. For more information, see the
page
9-19.
If you disable MAC authentication bypass from a port after the port has been authorized with its
MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added to
the database, the switch can use MAC authentication bypass to re-authorize the port.
If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Chapter 9
Configuring IEEE 802.1x Port-Based Authentication
"IEEE 802.1x Authentication" section on
9-17.
OL-23389-01