Prerequisites for IEEE 802.1X VLAN Assignment
The following tasks must be completed before implementing the IEEE 802.1X VLAN Assignment feature:
-
IEEE 802.1X must be enabled on the device port.
-
The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).
-
EAP support must be enabled on the RADIUS server.
-
You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http://support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1.
-
Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information.
-
The port must be successfully authenticated.
The IEEE 802.1X VLAN Assignment feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.
The following ISR-G2 routers are supported:
-
1900
-
2900
-
3900
-
3900e
The following cards or modules support switch ports:
-
Enhanced High-speed WAN interface cards (EHWICs) with ACL support:
-
EHWIC-4ESG-P
-
EHWIC-9ESG-P
-
EHWIC-4ESG
-
EHWIC-9ESG
-
-
High-speed WAN interface cards (HWICs) without ACL support:
-
HWIC-4ESW-P
-
HWIC-9ESW-P
-
HWIC-4ESW
-
HWIC-9ES
-