6.3 IEEE 802.1 X important reminder for use

(1) Coexistence with other functions

For details about how IEEE802.1X coexists with other functions, see 5.2 Compatibility between Layer 2 authentication and other functions.

(2) Notes on specifying a MAC VLAN as an access port

• Although you can configure port-based authentication for an interface specified as an access port in a MAC VLAN, IEEE 802.1X cannot operate in such a configuration.

(3) Notes on Interim Packet-Transmit Interval

If you use interim packets with RADIUS Accounting, we recommend that you specify a value of 600 or higher as the sending interval for RADIUS packets in the Acct-Interim-Interval attribute. Because the switch sends interim packets for every authenticated terminal, exercise caution when assigning values less than 600 because this may place a heavy load on the network and the RADIUS server.

(4) Notes on Coexistence of Static Entry Registration MAC and VLAN Authentication (Dynamic) Modes

If you use the mac-address-table static command to register a static entry in the MAC address table of an interface that runs in MAC VLAN mode in a VLAN subject to VLAN-based authentication (dynamic), the associated terminal will be unable to perform authentication processing properly.

(5) Setting the Aging Times for MAC Addressing in VLAN Based Authentication (Dynamic)

When using VLAN-based authentication (dynamic), do not specify 0 (unlimited) as the aging time for MAC address entries in a port VLAN that is specified as the authentication default VLAN and the MAC VLAN for which you use VLAN-based authentication (dynamic). If you specify 0 (unlimited), when a terminal is assigned to a new VLAN, MAC address entries relating to the former VLAN will not be aged out from the MAC address table. As a result, the MAC address table will become populated with unused addresses. To clear the MAC address table of entries associated with the former VLAN, use the clear mac-address-table command.

(6) Changing the timer value

If you change the value of a timer (tx-period, reauth-period, supp-timeout, quiet-period, or keep-unauth), the change does not take effect until that timer times out for the authentication unit. To apply the change immediately, execute the clear dot1x auth-state command to clear the authentication status.

(7) Precautions when placing a L2 switchbetween the terminal and this equipment

Responses from terminals are typically multicast. Therefore, if you connect an L2 switch between the terminal and the Switch, EAPOL frames that encapsulate responses from the terminal are forwarded to every port in the same VLAN on the L2 switch. If the L2 switch VLAN is configured in the manner described below, EAPOL frames from a given terminal arrive at more than one port on the Switch, creating a situation in which multiple ports are attempting to authenticate the same terminal. This affects the stability of the authentication process, and may result in dropped connections, failed authentication, and other issues.

• Ports in the same VLAN on the L2 switch connect to multiple ports that are subject to authentication by the Switch

• Ports in the same VLAN on the L2 switch connect to the authenticating ports of multiple Switches

The figures below show examples of correct and prohibited configurations of an L2 switch between terminals and the Switch.