Restrictions and guidelines: 802.1X configuration

You can configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port. For more information about the port security feature, see "Configuring port security."

If the authentication server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.

On a port, the guest VLAN, Auth-Fail VLAN, and critical VLAN settings are mutually exclusive with the guest VSI, Auth-Fail VSI, and critical VSI settings.

For successful assignment of authorization VLANs or authorization VSIs, make sure the following requirements are met:

For the 802.1X guest VSI feature to work correctly, do not configure this feature together with EAD assistant.

Do not change the link type of a port when the 802.1X guest VLAN, Auth-Fail VLAN, or critical VLAN on the port has users.

Features about the 802.1X VSI manipulation are supported on both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. These features include 802.1X, 802.1X guest VSI, 802.1X Auth-Fail VSI, 802.1X critical VSI, and the maximum number of concurrent 802.1X users on a port. Other 802.1X features are supported only on Layer 2 Ethernet interfaces.

After a Layer 2 Ethernet interface is added to an aggregation group, 802.1X settings on the interface do not take effect.

Do not delete a Layer 2 aggregate interface if the interface has online 802.1X users.