Catalyst 3550-Configuring 802.1X Port-Based Authentication

www.net130.com 日期：2005-5-26 浏览次数：
出处：Cisco网站

Configuring 802.1X Authentication

These sections describe how to configure 802.1X port-based authentication on your switch:

• Default 802.1X Configuration

• 802.1X Configuration Guidelines

• Enabling 802.1X Authentication (required)

• Configuring the Switch-to-RADIUS-Server Communication (required)

• Enabling Periodic Re-Authentication (optional)

• Manually Re-Authenticating a Client Connected to a Port (optional)

• Changing the Quiet Period (optional)

• Changing the Switch-to-Client Retransmission Time (optional)

• Setting the Switch-to-Client Frame-Retransmission Number (optional)

• Enabling Multiple Hosts (optional)

• Resetting the 802.1X Configuration to the Default Values (optional)

Default 802.1X Configuration

Table 9-1 shows the default 802.1X configuration.

Table 9-1 Default 802.1X Configuration
Feature	Default Setting
Authentication, authorization, and accounting (AAA)	Disabled.
RADIUS server •IP address •UDP authentication port •Key	•None specified. •1812. •None specified.
Per-interface 802.1X enable state	Disabled (force-authorized). The port sends and receives normal traffic without 802.1X-based authentication of the client.
Periodic re-authentication	Disabled.
Number of seconds between re-authentication attempts	3600 seconds.
Quiet period	60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client).
Retransmission time	30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request).
Maximum retransmission number	2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).
Multiple host support	Disabled.
Client timeout period	30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.
Authentication server timeout period	30 seconds (when relaying a response from the client to the authentication server, the amount of time the switch waits for a reply before resending the response to the server. This setting is not configurable.)

802.1X Configuration Guidelines

These are some configuration guidelines and operating characteristics of 802.1X authentication:

•When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.

•The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types:

–Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

–Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.

–Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

–EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

–Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However, 802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port. You can enable 802.1X on a SPAN or RSPAN source port.

•If you try to enable 802.1X on a secure port without enabling the multiple-hosts mode, the switch returns an error message, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to a secure port without enabling the multiple-hosts mode, the switch returns an error message, and the security settings are not changed.

•When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

本新闻共6页,当前在第2页 1 2 3 4 5 6