Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass - Cisco 3020 - Catalyst Blade Switch Configuration Manual

Chapter 7 Configuring IEEE 802.1x Port-Based Authentication
•

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass

These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and
inaccessible authentication bypass:
•
•
•
•
•
•
OL-8915-01
Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can
–
enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port.
However, IEEE 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN
destination port. You can enable IEEE 802.1x authentication on a SPAN or RSPAN source port.
Before globally enabling IEEE 802.1x authentication on a switch by entering the dot1x
system-auth-control global configuration command, remove the EtherChannel configuration from
the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is
equal to a voice VLAN.
The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports,
dynamic ports, or with dynamic-access port assignment through a VMPS.
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected,
you might need to get a host IP address from a DHCP server. You can change the settings for
restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the
client times out and tries to get a host IP address from the DHCP server. Decrease the settings for
the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period
interface configuration commands). The amount to decrease the settings depends on the connected
IEEE 802.1x client type.
When configuring the inaccessible authentication bypass feature, follow these guidelines:
– The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
If the client is running Windows XP and the port to which the client is connected is in the
–
critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
–
receiving an EAP-Success message on a critical port might not re-initiate the DHCP
configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on
–
an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN
and all the RADIUS servers are unavailable, switch changes the port state to the critical
authentication state and remains in the restricted VLAN.
You can configure the inaccessible bypass feature and port security on the same switch port.
–
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only
on access ports.
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Configuring IEEE 802.1x Authentication
7-21