Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
802.1x Authentication Configuration Guidelines
• If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x
authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device
is running ACS Version 3.2.1 or later.
• When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the switch
grants the phones network access without authenticating them. We recommend that you use multidomain
authentication (MDA) on the port to authenticate both a data device and a voice device, such as an IP
phone.
Note
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible
authentication bypass:
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
• You can configure 802.1x authentication on a private-VLAN port, but do not configure IEEE 802.1x
authentication with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user ACL
on private-VLAN ports.
• You can configure any VLAN except an RSPAN VLAN, private VLAN, or a voice VLAN as an 802.1x
guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports;
it is supported only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might
need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x
authentication process on the switch before the DHCP process on the client times out and tries to get a
host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process
(authentication timer inactivity and authentication timer reauthentication interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
246
Only Catalyst 3750, 3560, and 2960 switches support CDP bypass. The Catalyst 3750-X,
3560-X, 3750-E, and 3560-E switches do not support CDP bypass.
◦ The feature is supported on 802.1x port in single-host mode and multihosts mode.
◦ If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
◦ If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration
process.
Configuring IEEE 802.1x Port-Based Authentication
OL-29434-01
Hide quick links:
Advertisement
Table of Contents
