User Guide

ManualsBrandsCisco Systems ManualsOtherEA6500

351

352

353

354

355

356

357

358

359

360

25-6

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 25 Configuring IEEE 802.1X Port-Based Authentication

802.1X Port-Based Authentication Guidelines and Restrictions

Follow these guidelines and restrictions when configuring 802.1X port-based authentication:

• When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are

enabled.

• The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but

it is not supported on these port types:

–

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X

is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode

is not changed.

–

EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the

EtherChannel port-channel interface. If you try to enable 802.1X on an EtherChannel

port-channel interface or on an individual active port in an EtherChannel, an error message

appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active individual port of

an EtherChannel, the port does not join the EtherChannel.

–

Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X

on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an

802.1X-enabled port to a secure port, an error message appears, and the security settings are not

changed.

–

Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN

destination port; however, 802.1X is disabled until the port is removed as a SPAN destination

port. You can enable 802.1X on a SPAN source port.

Retransmission time 30 seconds (number of seconds that the switch should

wait for a response to an EAP request/identity frame

from the client before retransmitting the request)

Maximum retransmission number 2 times (number of times that the switch will send an

EAP-request/identity frame before restarting the

authentication process)

Multiple host support Disabled

Client timeout period 30 seconds (when relaying a request from the

authentication server to the client, the amount of time the

switch waits for a response before retransmitting the

request to the client)

Authentication server timeout period 30 seconds (when relaying a response from the client to

the authentication server, the amount of time the switch

waits for a reply before retransmitting the response to the

server)

Table 25-1 Default 802.1X Configuration (continued)

Feature Default Setting