Chapter 8
Configuring 802.1X Port-Based Authentication
Table 8-1
Feature
Maximum retransmission number
Multiple host support
Client timeout period
Authentication server timeout period
802.1X Configuration Guidelines
These are the 802.1X authentication configuration guidelines:
•
•
78-11380-04
Default 802.1X Configuration (continued)
When the 802.1X protocol is enabled, ports are authenticated before any other Layer 2 feature is
enabled.
The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port
types:
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
–
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
–
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
–
Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change
an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the
VLAN configuration is not changed.
–
EtherChannel port—Before enabling 802.1X on the port, you must first remove the port from
the EtherChannel before enabling 802.1X on it. If you try to enable 802.1X on an EtherChannel
or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled.
If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the
EtherChannel.
Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X
–
on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an
802.1X-enabled port to a secure port, an error message appears, and the security settings are not
changed.
–
Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN
destination port; however, 802.1X is disabled until the port is removed as a SPAN destination.
You can enable 802.1X on a SPAN source port.
Default Setting
2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process).
Disabled.
30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before retransmitting the
request to the client). This setting is not configurable.
30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before retransmitting the response to the
server). This setting is not configurable.
Catalyst 2950 Desktop Switch Software Configuration Guide
Configuring 802.1X Authentication
8-7