topic 802.1X on Etherchannels in Network Access Control https://community.cisco.com/t5/network-access-control/802-1x-on-etherchannels/m-p/2100794#M161122 <P>We are deploying ISE and everything seems to be working just fine.</P><P>We have a series of servers accessing the network using etherchannels.</P><P>We are complete aware that 802.1X is not recommended for Servers but we would like to activate it for a proof of concept.</P><P></P><P>Is there a way (or work around) to activate 802.1X in a port-channel?</P><P></P><P>Thanks for your help!</P> Tue, 26 Mar 2019 00:29:49 GMT vbuendia 2019-03-26T00:29:49Z 802.1X on Etherchannels https://community.cisco.com/t5/network-access-control/802-1x-on-etherchannels/m-p/2100794#M161122 <P>We are deploying ISE and everything seems to be working just fine.</P><P>We have a series of servers accessing the network using etherchannels.</P><P>We are complete aware that 802.1X is not recommended for Servers but we would like to activate it for a proof of concept.</P><P></P><P>Is there a way (or work around) to activate 802.1X in a port-channel?</P><P></P><P>Thanks for your help!</P> Tue, 26 Mar 2019 00:29:49 GMT https://community.cisco.com/t5/network-access-control/802-1x-on-etherchannels/m-p/2100794#M161122 vbuendia 2019-03-26T00:29:49Z Re: 802.1X on Etherchannels https://community.cisco.com/t5/network-access-control/802-1x-on-etherchannels/m-p/2100795#M161168 <HTML><HEAD></HEAD><BODY><P>Hello <A _jive_internal="true" href="https://community.cisco.com/people/vbuendia" id="jive-43396718154338285827786" rel="nofollow" style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; outline: none; color: #000000; font-weight: bold; font-family: Arial, verdana, sans-serif;">vbuendia</A>, I wonder if we know each other? <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>802.1x is not supported on port-channels. You can potentially look into SGA for securing servers in your environment.</P><P></P><P>Here is a snip-it from the 15.x configuration guide:</P><P></P><P style="margin: 0in; margin-bottom: .0001pt;"><SPAN style="font-size: 8pt;"><STRONG>The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">routed ports, but it is not supported on these port types:</STRONG></P><P></P><P style="margin: 0in 0in 0.0001pt;"><SPAN style="font-size: 8pt;"><STRONG>– Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">appears, and 802.1x authentication is not enabled. If you try to change the mode of an</STRONG></P><P><STRONG style="font-size: 8pt;">802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.</STRONG></P><P></P><P style="margin: 0in 0in 0.0001pt;"><SPAN style="font-size: 8pt;"><STRONG>– Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">port. If you try to enable 802.1x authentication on a dynamic port, an error message appears,</STRONG></P><P><STRONG style="font-size: 8pt;">and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled</STRONG></P><P><STRONG style="font-size: 8pt;">port to dynamic, an error message appears, and the port mode is not changed.</STRONG></P><P></P><P style="margin: 0in 0in 0.0001pt;"><SPAN style="font-size: 8pt;"><STRONG>– Dynamic-access ports—If you try to enable 802.1x authentication on a dynamic-access (VLAN</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">Query Protocol [VQP]) port, an error message appears, and 802.1x authentication is not</STRONG></P><P><STRONG style="font-size: 8pt;">enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error</STRONG></P><P><STRONG style="font-size: 8pt;">message appears, and the VLAN configuration is not changed.</STRONG></P><P></P><P style="margin: 0in 0in 0.0001pt;"><SPAN style="font-size: 8pt;"><STRONG>– <SPAN style="color: #ff0000;">EtherChannel port</SPAN>—Do not configure a port that is an active or a not-yet-active member of an</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel</STRONG></P><P><STRONG style="font-size: 8pt;">port, an error message appears, and 802.1x authentication is not enabled.</STRONG></P><P></P><P style="margin: 0in 0in 0.0001pt;"><SPAN style="font-size: 8pt;"><STRONG>– Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can</STRONG></SPAN></P><P><STRONG style="font-size: 8pt;">enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. However,</STRONG></P><P><STRONG style="font-size: 8pt;">802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination</STRONG></P><P><STRONG style="font-size: 8pt;">port. You can enable 802.1x authentication on a SPAN or RSPAN source port.</STRONG></P><P></P><P></P><P></P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Wed, 30 Jan 2013 03:06:35 GMT https://community.cisco.com/t5/network-access-control/802-1x-on-etherchannels/m-p/2100795#M161168 nspasov 2013-01-30T03:06:35Z