Mac Authentication Bypass; Maximum Number Of Allowed Devices Per Port; Configuring 802.1X Readiness Check - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring 802.1x Readiness Check
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.
• When wireless guest clients obtains IP from foreign client VLAN instead of anchor client VLAN, you
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
• If you disable MAC authentication bypass from a port after the port has been authorized with its MAC
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
• You can configure a timeout period for hosts that are connected by MAC authentication bypass but are
Maximum Number of Allowed Devices Per Port
This is the maximum number of devices allowed on an 802.1x-enabled port:
• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with
• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP
• In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of
Configuring 802.1x Readiness Check
The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about
the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices
connected to the switch ports are 802.1x-capable.
The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness check is
not available on a port that is configured as dot1x force-unauthorized.
Follow these steps to enable the 802.1x readiness check on the switch:
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
300
The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
should use the ip dhcp required command under the WLAN configuration to force clients to issue a
new DHCP request. This prevents the clients from getting an incorrect IP at anchor.
authentication guidelines.
address, the port state is not affected.
database, the port remains in the unauthorized state. However, if the client MAC address is added to the
database, the switch can use MAC authentication bypass to re-authorize the port.
inactive. The range is 1to 65535 seconds.
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
phone is allowed for the voice VLAN.
non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the
voice VLAN.
Configuring IEEE 802.1x Port-Based Authentication
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
