Foundation Topics

Prior to configuring 802.1x port-based authentication, you need to consider several limitations. The 802.1x protocol support is available on Layer 2 static access ports, voice virtual LAN (VLAN) ports, and multi-VLAN access ports(MVAP).

Trunk, dynamic, dynamic-access, EtherChannel, Switched Port Analyzer (SPAN), and Remote SPAN (RSPAN) destination ports do not support the 802.1x protocol. You must remove any existing EtherChannel ports from the EtherChannel group prior to configuring 802.1x. RSPAN and voice VLANs may not be used as an 802.1x guest VLAN. The guest VLAN feature is not supported on routed or trunk ports.

Support for Cisco Secure Access Control Server (ACS) application for 802.1x authentication on switches running Cisco IOS Software Release 12.1(14)EA1 is available in ACS version 3.2.1 and later.

In environments upgrading to Cisco IOS Software Release 12.1(14) or later, the 802.1x commands have either changed or new commands have been introduced. To enable 802.1x, refer to the online documentation.

The 802.1x protocol allows the switch to facilitate communications between the client and the AAA server. The switch is actually using 802.1x to communicate with the client and is communicating with the authentication, authorization, and accounting (AAA) server via RADIUS. These communications are used to authenticate the user and computer and apply the necessary policies to allow access to the network. During this communication, the switch is aware of the transaction, and upon successful authentication, it dynamically configures the policies and enables the connected switch interface. Figure 18-1 depicts the typical communications scenario for a system attempting to gain access to the network.

0 0

Post a comment