Table of Contents
Advertisement
Chapter 21
Configuring Switch Access Using AAA
Table 21-3 Authentication Default Configuration (continued)
Feature
802.1x back-end authenticator to authentication server
retransmission time
802.1x number of frames retransmitted from back-end
authenticator to supplicant
802.1x automatic supplicant reauthentication time
802.1x automatic authenticator reauthentication of supplicant
Authentication Configuration Guidelines
Follow these guidelines when configuring authentication on the switch:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
78-13315-02
Authentication configuration applies both to console and Telnet connection attempts unless you use
the console and telnet keywords to specify the authentication methods to use for each connection
type individually.
If you configure a RADIUS or TACACS+ key on the switch, make sure you configure an identical
key on the RADIUS or TACACS+ server.
You must specify a RADIUS or TACACS+ server before enabling RADIUS or TACACS+ on the
switch.
If you configure multiple RADIUS or TACACS+ servers, the first server configured is the primary
server and authentication requests are sent to this server first. You can specify a server as primary
by using the primary keyword.
RADIUS and TACACS+ support one privileged mode only (level 1).
Kerberos authentication does not work if TACACS+ is also used as an authentication mechanism.
802.1x will work with other protocols, but we recommend RADIUS, particularly with a remotely
located authentication server.
You cannot enable 802.1x on a secure port until you turn off the security feature on that port. You
cannot enable security on an 802.1x port.
802.1x is only supported on Ethernet ports.
You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port. You
cannot enable trunking on an 802.1x port.
You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port. You
cannot enable DVLAN on an 802.1x port.
You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port.
You cannot enable channeling on an 802.1x port.
You cannot enable 802.1x on a Multiple VLAN Access Port (MVAP) with an auxiliary VLAN ID
until you turn off the auxiliary VLAN ID feature on that port. You cannot enable an auxiliary VLAN
ID on an 802.1x port.
You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot
configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a
SPAN source port.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Configuring Authentication
Default Value
30 seconds
2
3600 seconds
Disabled
21-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
