Prerequisites; Restrictions; Identify Configuration Values - Cisco Catalyst 3850 Manual

Access Control on the Wired Network
This workflow describes a phased approach to deploy IEEE 802.1x port-based authentication to provide
secure and identity-based access control at the edge of the switch stack network.
Prerequisites for Access Control on the Wired Network
•
•
•
•
•
•
Restrictions for Access Control on the Wired Network
•
•
•
•

Identify Configuration Values

Cisco Systems, Inc.
www.cisco.com
Before globally enabling IEEE 802.1x authentication, remove the EtherChannel configuration from
all of the interfaces.
Define the authenticator (switch) to RADIUS server communication.
Initiate Extensible Authentication Protocol (EAP) over LAN (EAPoL) messaging to successfully
authenticate the end device (or supplicant).
Based on your requirements, choose an appropriate EAP method. For information, see the
802.1x Deployment Guide.
Automate the certificate enrollment process for supplicants, as described in the
Autoenrollment in Windows Server
Enable machine authentication for end points, such as printers, to ensure that user login is supported.
You cannot configure an IEEE 802.1x port that is a member of an EtherChannel.
Destination ports configured with Switched Port Analyzer (SPAN) and remote SPAN (RSPAN)
cannot be enabled with IEEE 802.1x authentication.
You cannot enable an IEEE 802.1x port on trunk or dynamic ports. Dynamic ports can negotiate with
its neighbors to become a trunk.
Do not use port security with IEEE 802.1x. When IEEE 802.1x is enabled, port security then
becomes redundant and might interfere with the IEEE 802.1x functionality.
2003.
Wired
Certificate