Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass - Cisco Catalyst 2960 series Configuration Manual

How to Configure 802.1x Port-Based Authentication
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port becomes
unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned
shuts down or is removed.
• The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed
ports, but it is not supported on these port types:
• Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x authentication and EtherChannel are configured.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass

These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible
authentication bypass:
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported
only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might
need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x
authentication process on the switch before the DHCP process on the client times out and tries to get a
host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process
(authentication timer inactivity and authentication timer reauthentication interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1354
◦Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port.
If you try to enable 802.1x authentication on a dynamic port, an error message appears, and 802.1x
authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic,
an error message appears, and the port mode is not changed.
◦Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN
Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not enabled.
If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message
appears, and the VLAN configuration is not changed.
◦EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
◦Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable
802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x
authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You
can enable 802.1x authentication on a SPAN or RSPAN source port.