Mac Authentication Bypass; Maximum Number Of Allowed Devices Per Port; Configuring 802.1X Readiness Check - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.
MAC Authentication Bypass
These are the MAC authentication bypass configuration guidelines:
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
• If you disable MAC authentication bypass from a port after the port has been authorized with its MAC
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Maximum Number of Allowed Devices Per Port
This is the maximum number of devices allowed on an 802.1x-enabled port:
• In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with
• In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP
• In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of
Configuring 802.1x Readiness Check
Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the switch:
SUMMARY STEPS
1. dot1x test eapol-capable [interface interface-id]
2. configure terminal
3. dot1x test timeout timeout
4. end
OL-29434-01
◦ You can configure the inaccessible authentication bypass feature and the restricted VLAN on an
802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the
RADIUS servers are unavailable, switch changes the port state to the critical authentication state
and remains in the restricted VLAN.
The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
authentication guidelines.
address, the port state is not affected.
database, the port remains in the unauthorized state. However, if the client MAC address is added to the
database, the switch can use MAC authentication bypass to re-authorize the port.
a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice
VLAN.
phone is allowed for the voice VLAN.
non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the
voice VLAN.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
Configuring 802.1x Readiness Check
247
Advertisement
Table of Contents
