Cisco Catalyst 3560-X Software Configuration Manual page 330
Hide thumbs
Also See for Catalyst 3560-X:
- Command reference manual (1188 pages) ,
- Software configuration manual (1438 pages) ,
- Manual (276 pages)
Table of Contents
Advertisement
Configuring 802.1x Authentication
•
•
Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the
switch:
Command
Step 1
dot1x test eapol-capable [interface
interface-id]
Step 1
configure terminal
Step 2
dot1x test timeout timeout
Step 3
end
Step 4
show running-config
This example shows how to enable a readiness check on a switch to query a port. It also shows the
response received from the queried port verifying that the device connected to it is 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/0/13
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL
capable
Configuring Voice Aware 802.1x Security
You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a
security violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone
deployments where a PC is connected to the IP phone. A security violation found on the data VLAN
results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch
without interruption.
Follow these guidelines to configure voice aware 802.1x voice security on the switch:
•
If you do not include the shutdown vlan keywords, the entire port is shut down when it enters the
Note
error-disabled state.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-42
When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link
comes up, the port queries the connected client about its 802.1x capability. When the client responds
with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds
within the timeout period. If the client does not respond to the query, the client is not
802.1x-capable. No syslog message is generated.
The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is
connected to an IP phone). A syslog message is generated for each of the clients that respond to the
readiness check within the timer period.
Purpose
Enable the 802.1x readiness check on the switch.
(Optional) For interface-id specify the port on which to check for
IEEE 802.1x readiness.
Note
(Optional) Enter global configuration mode.
(Optional) Configure the timeout used to wait for EAPOL response. The
range is from 1 to 65535 seconds. The default is 10 seconds.
(Optional) Return to privileged EXEC mode.
(Optional) Verify your modified timeout values.
You enable voice aware 802.1x security by entering the reducible detect cause security-violation
shutdown vlan global configuration command. You disable voice aware 802.1x security by entering
the no version of this command. This command applies to all 802.1x-configured ports in the switch.
Chapter 1
Configuring IEEE 802.1x Port-Based Authentication
If you omit the optional interface keyword, all interfaces on the
switch are tested.
OL-25303-03
Advertisement
Table of Contents
Troubleshooting
