Cisco Catalyst 3750-E Software Configuration Manual page 320

Configuring 802.1x Authentication
• If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and
does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS
server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port
becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port
is assigned shuts down or is removed.
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
•
routed ports, but it is not supported on these port types:
Before globally enabling 802.1x authentication on a switch by entering the dot1x
•
system-auth-control global configuration command, remove the EtherChannel configuration from
the interfaces on which 802.1x authentication and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) application for
•
IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure
that the device is running ACS Version 3.2.1 or later.
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the
•
switch grants the phones network access without authenticating them. We recommend that you use
multidomain authentication (MDA) on the port to authenticate both a data device and a voice device,
such as an IP phone.
Note
Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
•
authentication. See the
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
10-36
Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message
–
appears, and 802.1x authentication is not enabled. If you try to change the mode of an
802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
–
port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,
and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled
port to dynamic, an error message appears, and the port mode is not changed.
Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
–
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not
enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error
message appears, and the VLAN configuration is not changed.
EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
–
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. However,
802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination
port. You can enable 802.1x authentication on a SPAN or RSPAN source port.
Only Catalyst 3750, 3560, and 2960 switches support CDP bypass. The Catalyst 3750-X,
3560-X, 3750-E, and 3560-E switches do not support CDP bypass.
"Displaying 802.1x Statistics and Status" section on page
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
10-68.
OL-9775-08