The tasks involved with configuring 802.1x port-based
authentication on a switch are shown in Figure
.
The table
in Figure
describes the default 802.1x configuration on a switch.
802.1x
Configuration Guidelines
When 802.1x is enabled, ports are
authenticated before any other Layer 2 features are enabled. The 802.1x
protocol is supported on Layer 2 static-access ports, but it is not supported
on the following port types:
-
Trunk port – If an administrator attempts to configure 802.1x on a
trunk port, an error message appears, and 802.1x is not enabled. If an
administrator attempts to change the mode of an 802.1x-enabled port to trunk,
the port mode is not changed.
-
Dynamic ports – A port in dynamic mode can negotiate with its
neighbor to become a trunk port. If an administrator attempts to enable 802.1x
on a dynamic port, an error message appears, and 802.1x is not enabled. If an
administrator attempts to change the mode of an 802.1x-enabled port to dynamic,
the port mode is not changed.
-
Dynamic-access ports – If an administrator attempts to enable 802.1x
on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears,
and 802.1x is not enabled. If an administrator attempts to change an
802.1x-enabled port to dynamic VLAN assignment, an error message appears, and
the VLAN configuration is not changed.
-
EtherChannel port – Before enabling 802.1x on the port, it must
first be removed from the EtherChannel. If an administrator attempts to enable
802.1x on an EtherChannel or on an active port in an EtherChannel, an error
message appears, and 802.1x is not enabled. If 802.1x is enabled on a not-yet
active port of an EtherChannel, the port does not join the EtherChannel.
-
Secure port – A secure port cannot be configured as an 802.1x port.
If an administrator attempts to enable 802.1x on a secure port, an error
message appears, and 802.1x is not enabled. If an administrator attempts to
change an 802.1x-enabled port to a secure port, an error message appears, and
the security settings are not changed.
-
Switched Port Analyzer (SPAN) destination port – 802.1x can be
enabled on a port that is a SPAN destination port. However, 802.1x is disabled
until the port is removed as a SPAN destination. 802.1x can be enabled on a
SPAN source port.
- The 802.1x protocol is not supported on an LRE switch interface that has a
Cisco 585 LRE CPE connected to it.