Table of Contents
Advertisement
Chapter 27
Configuring Switch Access Using AAA
Table 27-3 Default Authentication Configuration (continued)
Feature
802.1x number of frames retransmitted from backend
authenticator to supplicant
802.1x automatic supplicant reauthentication time
802.1x automatic authenticator reauthentication of supplicant
Authentication Configuration Guidelines
These guidelines apply when configuring authentication on the switch:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
78-12647-02
Authentication configuration applies to attempts to make both to console and Telnet connections
unless you use the console and telnet keywords to specify the authentication methods to use for each
connection type individually.
If you configure a RADIUS or TACACS+ key on the switch, make sure you configure an identical
key on the RADIUS or TACACS+ server.
The TACACS+ key must be less than 100 characters long.
You must specify a RADIUS or TACACS+ server before enabling RADIUS or TACACS+ on the
switch.
If you configure multiple RADIUS or TACACS+ servers, the first server configured is the primary,
and authentication requests are sent to this server first. You can specify a particular server as primary
by using the primary keyword.
RADIUS and TACACS+ support one privileged mode only (level 1).
Kerberos authentication does not work if TACACS+ is also used as an authentication mechanism.
802.1x will work with other protocols, but we recommend RADIUS, particularly with a remotely
located authentication server.
You cannot enable 802.1x on a secure port until you turn off the security feature on that port; and
you cannot enable security on an 802.1x port.
802.1x is only supported on Ethernet ports.
You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port; and
you cannot enable trunking on an 802.1x port.
You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port; and
you cannot enable DVLAN on an 802.1x port.
You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port;
and you cannot enable channeling on an 802.1x port.
You cannot enable 802.1x on a Multiple VLAN Access Port (MVAP) with an auxiliary VLAN ID
until you turn off the auxiliary VLAN ID feature on that port; and you cannot enable an auxiliary
VLAN ID on an 802.1x port.
You cannot enable 802.1x on a switched port analyzer (SPAN) destination port; and you cannot
configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a
SPAN source port.
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
Configuring Authentication
Default Value
2
3600 seconds
Disabled
27-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
