Table of Contents
Advertisement
Chapter 10
Configuring 802.1x Port-Based Authentication
•
•
•
•
•
•
Upgrading from a Previous Software Release
In Cisco IOS Release 12.1(14)EA1, the implementation for 802.1x changed from the previous release.
Some global configuration commands became interface configuration commands, and new commands
were added.
If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later,
the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade
is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global
configuration command. If 802.1x was running in multiple-hosts mode on a port in the previous release,
make sure to reconfigure it by using the dot1x host-mode multi-host interface configuration command.
Configuring 802.1x Authentication
To configure 802.1x port-based authentication, you must enable AAA and specify the authentication
method list. A method list describes the sequence and authentication methods to be queried to
authenticate a user.
The software uses the first method listed to authenticate users. If that method fails to respond, the
software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the 802.1x authentication, authorization and accounting process:
A user connects to a port on the switch.
Step 1
Authentication is performed.
Step 2
78-16180-02
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
The 802.1x with VLAN assignment feature is not supported on private-VLAN ports, trunk ports,
dynamic ports, or with dynamic-access port assignment through a VMPS.
You can configure 802.1x on a private-VLAN port, but do not configure 802.1x with port security,
voice VLAN, or per-user ACL on private-VLAN ports.
Before globally enabling 802.1x on a switch by entering the dot1x system-auth-control global
configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) application for 802.1x
authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your switch is
running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or
later.
After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you
might need to get a host IP address from a DHCP server. You can also change the settings for
restarting the 802.1x authentication process on the switch before the DHCP process on the client
times out and tries to get a host IP address from the DHCP server. Decrease the settings for the
802.1x authentication process (802.1x quiet period and switch-to-client transmission time).
Configuring 802.1x Authentication
Catalyst 3750 Switch Software Configuration Guide
10-13
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
