Restrictions and guidelines: 802.1X configuration
You can configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port. For more information about the port security feature, see "Configuring port security."
If the authentication server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.
On a port, the guest VLAN, Auth-Fail VLAN, and critical VLAN settings are mutually exclusive with the guest VSI, Auth-Fail VSI, and critical VSI settings.
For successful assignment of authorization VLANs or authorization VSIs, make sure the following requirements are met:
If the 802.1X-enabled port is configured with the guest VLAN, Auth-Fail VLAN, or critical VLAN, configure the authentication server to assign authorization VLANs to 802.1X users.
If the 802.1X-enabled port is configured with the guest VSI, Auth-Fail VSI, or critical VSI, configure the authentication server to assign authorization VSIs to 802.1X users.
For the 802.1X guest VSI feature to work correctly, do not configure this feature together with EAD assistant.
Do not change the link type of a port when the 802.1X guest VLAN, Auth-Fail VLAN, or critical VLAN on the port has users.
Features about the 802.1X VSI manipulation are supported on both Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. These features include 802.1X, 802.1X guest VSI, 802.1X Auth-Fail VSI, 802.1X critical VSI, and the maximum number of concurrent 802.1X users on a port. Other 802.1X features are supported only on Layer 2 Ethernet interfaces.
After a Layer 2 Ethernet interface is added to an aggregation group, 802.1X settings on the interface do not take effect.
Do not delete a Layer 2 aggregate interface if the interface has online 802.1X users.