Configuring 802.1x Port-Based Authentication
802.1x port-based authentication configuration tasks

The tasks involved with configuring 802.1x port-based authentication on a switch are shown in Figure .

The table in Figure describes the default 802.1x configuration on a switch.

802.1x Configuration Guidelines
When 802.1x is enabled, ports are authenticated before any other Layer 2 features are enabled. The 802.1x protocol is supported on Layer 2 static-access ports, but it is not supported on the following port types:

  • Trunk port – If an administrator attempts to configure 802.1x on a trunk port, an error message appears, and 802.1x is not enabled. If an administrator attempts to change the mode of an 802.1x-enabled port to trunk, the port mode is not changed.
  • Dynamic ports – A port in dynamic mode can negotiate with its neighbor to become a trunk port. If an administrator attempts to enable 802.1x on a dynamic port, an error message appears, and 802.1x is not enabled. If an administrator attempts to change the mode of an 802.1x-enabled port to dynamic, the port mode is not changed.
  • Dynamic-access ports – If an administrator attempts to enable 802.1x on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1x is not enabled. If an administrator attempts to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
  • EtherChannel port – Before enabling 802.1x on the port, it must first be removed from the EtherChannel. If an administrator attempts to enable 802.1x on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1x is not enabled. If 802.1x is enabled on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
  • Secure port – A secure port cannot be configured as an 802.1x port. If an administrator attempts to enable 802.1x on a secure port, an error message appears, and 802.1x is not enabled. If an administrator attempts to change an 802.1x-enabled port to a secure port, an error message appears, and the security settings are not changed.
  • Switched Port Analyzer (SPAN) destination port – 802.1x can be enabled on a port that is a SPAN destination port. However, 802.1x is disabled until the port is removed as a SPAN destination. 802.1x can be enabled on a SPAN source port.
  • The 802.1x protocol is not supported on an LRE switch interface that has a Cisco 585 LRE CPE connected to it.