Authentication Configuration Guidelines - Cisco WS-C6506 Software Manual

Authentication Configuration Guidelines

Table 40-2
Feature
802.1X authenticator to host retransmission time
802.1X back-end authenticator to host retransmission time
802.1X back-end authenticator to authentication server
retransmission time
802.1X number of frames that are retransmitted from back-end
authenticator to the host
802.1X automatic host reauthentication time
802.1X automatic authenticator reauthentication of the host
802.1X shutdown timeout period
802.1X RADIUS accounting
802.1X RADIUS VLAN assignment
802.1X RADIUS keepalive state
Authentication Configuration Guidelines
This section provides the guidelines for configuring 802.1X authentication on the switch:
•
•
•
•
•
•
•
•
•
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-12
802.1X Authentication Default Configuration (continued)
802.1X will work with other protocols, but we recommend that you use RADIUS with a remotely
located authentication server.
802.1X is supported only on the Ethernet ports.
Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1. 802.1X
authentication always uses the sc0 interface as the identifier for the authenticator when
communicating with the RADIUS server. 802.1X authentication is not supported with the sc1
interface.
You cannot enable 802.1X on a trunk port until you turn off trunking on that port. You cannot enable
trunking on an 802.1X port.
You cannot enable 802.1X on a dynamic port until you turn off dynamic VLAN on that port. You
cannot enable dynamic VLAN on an 802.1X port.
You cannot enable 802.1X on a channeling port until you turn off channeling on that port. You
cannot enable channeling on an 802.1X port.
You cannot enable 802.1X on a switched port analyzer (SPAN) destination port. You cannot
configure SPAN destination on an 802.1X port. However, you can configure an 802.1X port as a
SPAN source port.
You cannot set the auxiliary VLAN to dot1p or untagged, and the auxiliary VLAN should not be
equal to the native VLAN on the 802.1X-enabled port.
You cannot enable the multiple-authentication option on an 802.1X-enabled auxiliary VLAN port.
We recommend that you do not enable the multiple-host option on an 802.1X-enabled auxiliary port.
Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1X-enabled auxiliary
VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as
the guest VLAN.
On an 802.1X-enabled port, an administratively configured VLAN cannot be equal to an auxiliary
VLAN.
Chapter 40 Configuring 802.1X Authentication
Default Value
30 seconds
30 seconds
30 seconds
2
3600 seconds
Disabled
300 seconds
Disabled
Enabled
Enabled
OL-8978-04