Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19985
Views
6
Helpful
6
Replies

Dot1X on trunk port

Go to solution
gilou_1973
Level 1
Level 1

‎04-24-2014 01:02 AM - edited ‎03-10-2019 09:39 PM

Hello,

I need to authenticate a trunk port (with dot1x) where runs a development machine which hosts Virtual Machines.

So, the port where is connected the machine is a dot1q port.

Therefore I'd like to authenticate this machine with DOT1x, and by now it fails.

FYI dot1x runs with success on normal switch access port.

The platform is a catalyst 2960s, running the 15.0(1)SE2 IOS.

I'm using an EAP authentication method based on computer certificate.

 

Here below the configuration of the switch and port:

Thanks for your help

 

Global config:

aaa new-model
!
aaa group server radius G1
 server 10.4.22.148 auth-port 1812 acct-port 1813
 server 10.4.22.149 auth-port 1812 acct-port 1813
!
aaa authentication login default group G1 local
aaa authentication login console local
aaa authentication dot1x default group G1
aaa authorization exec default local
aaa authorization exec G1 if-authenticated
aaa authorization network default group G1
aaa session-id common


radius-server host 10.4.22.148 auth-port 1812 acct-port 1813 key 7 xxxxxx
radius-server host 10.4.22.149 auth-port 1812 acct-port 1813 key 7 xxxxxx
radius-server timeout 3
radius-server deadtime 1

 

 

port machine
interface GigabitEthernet4/0/8
 description TEST_DEV_ON_VL141
 switchport trunk allowed vlan 141,211
 switchport mode trunk
 authentication host-mode multi-host
 authentication port-control auto
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout tx-period 5
 dot1x max-reauth-req 5
 storm-control broadcast level 20.00
 storm-control action shutdown
 no cdp enable
 spanning-tree bpduguard enable
 ip igmp filter 1
end

 

 

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-24-2014 01:32 AM

802.1X Configuration Guidelines

These are some configuration guidelines and operating characteristics of 802.1X authentication:

When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.

The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types:

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.

Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However, 802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port. You can enable 802.1X on a SPAN or RSPAN source port.

View solution in original post

Go to solution
Saurav Lodh
Level 7
Level 7

‎04-24-2014 02:01 AM

The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on trunk port.

View solution in original post

6 Replies 6

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-24-2014 01:32 AM

802.1X Configuration Guidelines

These are some configuration guidelines and operating characteristics of 802.1X authentication:

When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.

The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types:

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.

Dynamic-access ports—If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However, 802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port. You can enable 802.1X on a SPAN or RSPAN source port.

Go to solution
Poonam Garg
Level 3
Level 3
In response to Venkatesh Attuluri

‎04-24-2014 03:18 AM

With Release 12.2(33)SXJ and later releases, you can enter the commands to enable 802.1X authentication on a trunk port or change the mode of an 802.1X-enabled port to trunk, but 802.1X authentication works only on trunk ports configured to support a switch supplicant (SSw). Configure 802.1X authentication on trunk ports only to support NEAT (CSCtx16322).

dot1x pae supplicant (not authenticator)

With releases earlier than Release 12.2(33)SXJ, if you try to enable 802.1X authentication on a trunk port, an error message appears, and 802.1X authentication is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, an error message appears, and the port mode is not changed.Refer

HTH

"Please rate helpful posts"

Go to solution
gilou_1973
Level 1
Level 1
In response to Poonam Garg

‎04-25-2014 02:12 AM

Thanks for the feedback.

 

0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎04-24-2014 02:01 AM

The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on trunk port.

Go to solution
gilou_1973
Level 1
Level 1

‎04-25-2014 02:10 AM

Thanks for your assistance

0 Helpful

Go to solution
gilou_1973
Level 1
Level 1

‎04-25-2014 02:11 AM

Thanks a lot for the feddback

0 Helpful
Customers Also Viewed These Support Documents