802.1X Port-Based Authentication Guidelines and Restrictions
Table 25-1 Default 802.1X Configuration (continued)
Feature
Retransmission time
Maximum retransmission number
Multiple host support
Client timeout period
Authentication server timeout period
802.1X Port-Based Authentication Guidelines and Restrictions
Follow these guidelines and restrictions when configuring 802.1X port-based authentication:
•
•
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
25-6
When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are
enabled.
The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on these port types:
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
–
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
–
EtherChannel port-channel interface. If you try to enable 802.1X on an EtherChannel
port-channel interface or on an individual active port in an EtherChannel, an error message
appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active individual port of
an EtherChannel, the port does not join the EtherChannel.
Secure port—You cannot configure a secure port as an 802.1X port. If you try to enable 802.1X
–
on a secure port, an error message appears, and 802.1X is not enabled. If you try to change an
802.1X-enabled port to a secure port, an error message appears, and the security settings are not
changed.
–
Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN
destination port; however, 802.1X is disabled until the port is removed as a SPAN destination
port. You can enable 802.1X on a SPAN source port.
Chapter 25
Configuring IEEE 802.1X Port-Based Authentication
Default Setting
30 seconds (number of seconds that the switch should
wait for a response to an EAP request/identity frame
from the client before retransmitting the request)
2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the
authentication process)
Disabled
30 seconds (when relaying a request from the
authentication server to the client, the amount of time the
switch waits for a response before retransmitting the
request to the client)
30 seconds (when relaying a response from the client to
the authentication server, the amount of time the switch
waits for a reply before retransmitting the response to the
server)
78-14099-04