802.1X Configuration Guidelines; Enabling 802.1X Authentication - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 31
Understanding and Configuring 802.1X Port-Based Authentication
802.1X Configuration Guidelines
This section describes the guidelines for configuring 802.1X authentication:
•
If you are planning to use either 802.1X accounting or VLAN assignment, be aware that both features
utilize general AAA commands. For information how to configure AAA, refer to "Enabling 802.1X
Authentication" on page 13 and "Enabling 802.1X Accounting" on page 16. Alternatively, you can refer
to the Cisco IOS security documentation.
Refer to the following Cisco IOS security documentation for information on how to configure AAA
system accounting:
•
•
Enabling 802.1X Authentication
To enable 802.1X port-based authentication, you first must enable 802.1X globally on your switch, then
enable AAA and specify the authentication method list. A method list describes the sequence and
authentication methods that must be queried to authenticate a user.
The software uses the first method listed in the method list to authenticate users; if that method fails to
respond, the software selects the next authentication method in the list. This process continues until there
is successful communication with a listed authentication method or until all defined methods are
exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other
authentication methods are attempted.
To allow VLAN assignment, you must enable AAA authorization to configure the switch for all
network-related service requests.
OL-6696-01
The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but
it is not supported on the following port types:
Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X
–
is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode
is not changed.
Default ports—All ports default as dynamic-access ports (auto). Use the no switchport
–
command to access a router port.
Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk
–
port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is
not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode
is not changed.
EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the
–
EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a
not-yet active port of an EtherChannel, the port does not join the EtherChannel.
–
Switched Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a
SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN
destination. You can enable 802.1X on a SPAN source port.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
Software Configuration Guide—Release 12.2(25)EW
How to Configure 802.1X
31-13
Advertisement
Table of Contents
