802.1X ports cannot be configured as dynamic access ports. A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed. See the following document for details:
Yeah I know I know - it can't be done with trunk ports - anybody know if this is on the roadmap? I have a VoIP network (avvid) , where essentially all ports on my network are 802.1q trunk ports (for voip support) and I need to be able to do 802.1x from the back of the phone (and ports configured as trunk ports that aren't phone connected) - Doing this any other way creates a management nightmare.
You can consider Multi-VLAN Access ports. Here is a sample working config that demonstrates this:
switchport mode access
switchport access vlan
switchport voice vlan
dot1x port-control auto
This allows for 802.1x and VoIP to co-exist at the same time. Insure your switch/rev has support for the "802.1x with VVID" feature, which works automatically based on the port config above.
Hope this helps.
I actually tried that on my 4510 switch as well - it detected the voice vlan parameter and refused to work. I need to research on the 802.1x with AVVID feature to see what that's all about.
What is the exact problem you are facing? Is it the VLAN assignment itself or is it getting the IP Address afterwards via DHCP? I have gotten it to work in a test environment but unfortunately with Foundry switches; have not gotten a chance to test it with Cisco's 802.1x implementation yet. By the way a single signon for both 802.1x and Windows Domain was the hardest thing to accomplish but things might have improved by now.
By the way this post is meant for the original poster. I did not realize this post was an year old :)
I'm trying to implement 802.1x in a wired environment, with 2950 Switch, Active directory and Cisco ACS 3.2. I need this to work without certificates, using EAP-MD5.But it doesn't work.
could you help me about it?