802.1X Configuration Guidelines; Configuring 802.1X Authentication - Cisco Catalyst 3750 Software Configuration Manual

Chapter 8 Configuring 802.1x Port-Based Authentication

802.1x Configuration Guidelines

These are the 802.1x authentication configuration guidelines:
•
•
•
•
•

Configuring 802.1x Authentication

To configure 802.1x port-based authentication, you must enable AAA and specify the authentication
method list. A method list describes the sequence and authentication methods to be queried to
authenticate a user.
The software uses the first method listed to authenticate users. If that method fails to respond, the
software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication.
This procedure is required.
78-15870-01
When 802.1x is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
– Trunk port—If you try to enable 802.1x on a trunk port, an error message appears, and 802.1x
is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, an error
message appears, and the port mode is not changed.
– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1x on a dynamic port, an error message appears, and 802.1x is not
enabled. If you try to change the mode of an 802.1x-enabled port to dynamic, an error message
appears, and the port mode is not changed.
Dynamic-access ports—If you try to enable 802.1x on a dynamic-access (VLAN Query
–
Protocol [VQP]) port, an error message appears, and 802.1x is not enabled. If you try to change
an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
– EtherChannel port—Do not configure a port that is an active member of an EtherChannel as an
802.1x port. If 802.1x is enabled on a not-yet active port of an EtherChannel, the port does not
join the EtherChannel.
– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x on a port that is a SPAN or RSPAN destination port. However, 802.1x is disabled
until the port is removed as a SPAN or RSPAN destination port. You can enable 802.1x on a
SPAN or RSPAN source port.
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VMPS.
Catalyst 3750 Metro Switch Software Configuration Guide
Configuring 802.1x Authentication
8-11