X Configuration Guidelines - Cisco Catalyst 3550 series Software Configuration Manual

Configuring 802.1X Authentication
Table 9-1
Feature
Retransmission time
Maximum retransmission number
Host mode
Guest VLAN
Client timeout period
Authentication server timeout period

802.1X Configuration Guidelines

These are the 802.1X authentication configuration guidelines:
•
•
Catalyst 3550 Multilayer Switch Software Configuration Guide
9-10
Default 802.1X Configuration (continued)
When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
The 802.1X protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3
routed ports, but it is not supported on these port types:
– Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
– Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change
an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
–
EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However,
802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port.
You can enable 802.1X on a SPAN or RSPAN source port.
Chapter 9 Configuring 802.1X Port-Based Authentication
Default Setting
30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before resending the request).
2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
Single-host mode.
None specified.
30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before resending the request
to the client.
30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before resending the response to the
server. This setting is not configurable.)
78-11194-09