Cisco Systems 2950 Configuring 802.1X Authentication

8-5

Catalyst2950 Desktop Switch Software Configuration Guide

78-11380-05

Chapter8 Configuring 802.1X Port-B as ed Authentication Configuring 802.1X Authentication

Supported Topologies

The 802.1X port-based authentication is supported in two topologies:

•Point-to-point

•Wireless LAN

In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the

802.1X-enabled switch port. The switch detects the client when the port link s tate changes to th e up state.

If a client leaves or is replaced with another client, the switch changes the port link state to down, and

the port returns to the unauthorized state.

Figure 8-3 shows 802.1X port-based authentication in a wireless LAN. T he 8 02. 1X p ort i s c onfigured

as a multiple-host port that becomes authorized as soon as one client is authenticated. When the port is

authorized, all other hosts indirectly attached to the port are granted access to the network. If the port

becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch

denies access to the network to all of the attached clients. In this topology, the wireless access point is

responsible for authenticating the clients attached to it, and the wireless access point acts as a client to

the switch.

Figure8-3 Wireless LAN Example

Configuring 802.1X Authentication

These sections describe how to configure 802.1X port-based authentic ati on on yo ur sw itch:

•Default 802.1X Configuration, page 8-6

•802.1X Configuration Guidelines, page 8-7

•Enabling 802.1X Authentication, page 8-8 (required)

•Configuring the Switch-to-RADIUS-Server Communication, page 8-9 (required)

•Enabling Periodic Re-Authentication, page 8-10 (optio na l)

•Manually Re-Authenticating a Client Connected to a Port, page 8-11 (optional)

•Changing the Quiet Period, page 8-11 (optional)

•Changing the Switch-to-Client Retransmission Time, page 8-12 (optional)

•Setting the Switch-to-Client Frame-Retransmission Number, page 8-13 (optional)

•Enabling Multiple Hosts, page 8-13 (optional)

•Resetting the 802.1X Configuration to the Default Values, page 8-14 (optional)

Wireless clients

Access point Catalyst 2950 or

3550 switch

Authentication

server

(RADIUS)

74617

Contents

Main Catalyst 2950 Desktop Switch Software Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Page Conventions Related Publications Obtaining Documentation World Wide Web Documentation CD-ROM Ordering Documentation Obtaining Technical Assistance Cisco.com Technical Assistance Center Cisco TAC Website Cisco TAC Escalation Center Overview Features Page Page Page Management Options Management Interface Options Advantages of Using CMS and Clustering Switches Network Configuration Examples Design Concepts for Using the Switch Page Page 1-10 Small to Medium-Sized Network Configuration Page Collapsed Backbone and Switch Cluster Configuration Large Campus Configuration Multidwelling Network Using Catalyst 2950 Switches Page Long-Distance, High-Bandwidth Transport Configuration Where to Go Next Page Using the Command-Line Interface IOS Command Modes Page Getting Help Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI from a Browser Getting Started with CMS Features 3-3 switch settings; read-only access for users allowed to only view switch settings uniform approach to viewing and setting configuration parameters 3-4 Front Panel View Cluster Tree Front-Panel Images Redundant Power System LED Port Modes and LEDs VLAN Membership Modes Topology View 3-10 Topology Icons Device and Link Labels Colors in the Topology View Topology Display Options Menus and Toolbar Menu Bar Page Page Page Page Toolbar Front Panel View Popup Menus Device Popup Menu Port Popup Menu Topology View Popup Menus Link Popup Menu Device Popup Menus Interaction Modes Guide Mode Expert Mode Wizards Tool Tips Online Help 3-26 CMS Window Components Host Name List Tabs, Lists, and Tables Icons Used in Windows Buttons Accessing CMS Access Modes in CMS HTTP Access to CMS Verifying Your Changes Change Notification Error Checking Saving Your Configuration Restoring Your Configuration CMS Preferences Using Different Versions of CMS Where to Go Next Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Page Manually Assigning IP Information Checking and Saving the Running Configuration 4-11 4-12 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software CNS Configuration Service CNS Event Service NameSpace Mapper What You Should Know About ConfigID, DeviceID, and Host Name ConfigID DeviceID Host Name and DeviceID Using Host Name, DeviceID, and ConfigID Understanding CNS Embedded Agents Initial Configuration V Incremental (Partial) Configuration Synchronized Configuration Configuring CNS Embedded Agents Enabling Automated CNS Configuration Page Enabling the CNS Event Agent Enabling the CNS Configuration Agent Enabling an Initial Configuration Page Page Enabling a Partial Configuration Displaying CNS Configuration Page Page Clustering Switches Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate Switch and Member Switch Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery through CDP Hops 6-7 Discovery through Non-CDP-Capable and Noncluster-Capable Devices Discovery through the Same Management VLAN Discovery through Different Management VLANs Discovery of Newly Installed Switches 6-12 HSRP and Standby Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Page Automatic Recovery of Cluster Configuration IP Addresses Host Names Passwords SNMP Community Strings TACACS+ and RADIUS Access Modes in CMS Management VLAN LRE Profiles Availability of Switch-Specific Features in Switch Clusters Creating a Switch Cluster Enabling a Command Switch Adding Member Switches Page Creating a Cluster Standby Group Page Verifying a Switch Cluster Using the CLI to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters Page Administering the Switch Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Page TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Controlling Switch Access with RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Switch to Use Vendor-Specific RADIUS Attributes Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Displaying the RADIUS Configuration Configuring the Switch for Local Authentication and Authorization Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Page Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Creating an Access Group and Assigning a Basic IP Access List Disabling NTP Services on a Specific Interface Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Configuring a System Prompt Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Building the Address Table MAC Addresses and VLANs Default MAC Address Table Configuration Changing the Address Aging Time Removing Dynamic Address Entries Configuring MAC Address Notification Traps Page Adding and Removing Static Address Entries Adding and Removing Secure Addresses Displaying Address Table Entries Managing the ARP Table Page Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Configuring 802.1X Authentication Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication Enabling Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Enabling Multiple Hosts Resetting the 802.1X Configuration to the Default Values Displaying 802.1X Statistics and Status Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs Switch Ports Access Ports Trunk Ports EtherChannel Port Groups Connecting Interfaces Using the Interface Command Procedures for Configuring Interfaces Configuring a Range of Interfaces Page Configuring and Using Interface Range Macros Configuring Layer 2 Interfaces Default Layer 2 Ethernet Interface Configuration Configuring Interface Speed and Duplex Mode Configuration Guidelines Setting the Interface Speed and Duplex Parameters Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports Adding a Description for an Interface Monitoring and Maintaining the Interfaces Monitoring Interface and Controller Status 9-15 This example shows how to display the status of all interfaces: This example shows how to display the status of switching ports: This example shows how to display the running configuration of Fast Ethernet interface 0/2 : Table9-2 Show Commands for Interfaces (continued) Clearing and Resetting Interfaces and Counters Shutting Down and Restarting the Interface Page Configuring STP Understanding Spanning-Tree Features STP Overview Supported Spanning-Tree Instances Bridge Protocol Data Units Election of the Root Switch Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Page Blocking State Listening State Learning State Forwarding State Disabled State Spanning-Tree Address Management STP and IEEE 802.1Q Trunks Spanning Tree and Redundant Connectivity Accelerated Aging to Retain Connectivity Configuring Spanning-Tree Features Default STP Configuration STP Configuration Guidelines Page Disabling STP Configuring the Root Switch Page Configuring a Secondary Root Switch Configuring the Port Priority Configuring the Path Cost Page Configuring the Switch Priority of a VLAN Configuring the Hello Time Configuring the Forwarding-Delay Time for a VLAN Configuring the Maximum-Aging Time for a VLAN Configuring STP for Use in a Cascaded Stack Displaying the Spanning-Tree Status Page Configuring RSTP and MSTP Understanding RSTP Port Roles and the Active Topology Rapid Convergence Synchronization of Port Roles Bridge Protocol Data Unit Format and Processing Processing Superior BPDU Information Processing Inferior BPDU Information Topology Changes Understanding MSTP Multiple Spanning-Tree Regions IST, CIST, and CST Operations Within an MST Region Operations Between MST Regions Hop Count Boundary Ports Interoperability with 802.1D STP Configuring RSTP and MSTP Features Default RSTP and MSTP Configuration RSTP and MSTP Configuration Guidelines Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch Page Configuring a Secondary Root Switch Configuring the Port Priority Configuring the Path Cost Configuring the Switch Priority Configuring the Hello Time Configuring the Forwarding-Delay Time Configuring the Maximum-Aging Time Configuring the Maximum-Hop Count Specifying the Link Type to Ensure Rapid Transitions Restarting the Protocol Migration Process Displaying the MST Configuration and Status Page Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Understanding BPDU Guard Understanding BPDU Filtering Understanding UplinkFast Understanding Cross-Stack UplinkFast How CSUF Works Events That Cause Fast Convergence Limitations Connecting the Stack Ports 12-9 Catalyst2950 Desktop Switch Software Configuration Guide 78-11380-05 2 34 5 6 78 9 10 910 910 910 Catalyst 2950G-48 2 3 4 5 6 78 9 10 1112 Understanding BackboneFast Page Understanding Root Guard Understanding Loop Guard Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Enabling Port Fast Enabling BPDU Guard Enabling BPDU Filtering Enabling UplinkFast for Use with Redundant Links Enabling Cross-Stack UplinkFast Enabling BackboneFast Enabling Root Guard Enabling Loop Guard Displaying the Spanning-Tree Status Page Configuring VLANs Understanding VLANs Supported VLANs VLAN Port Membership Modes Configuring Normal-Range VLANs Token Ring VLANs Normal-Range VLAN Configuration Guidelines VLAN Configuration Mode Options VLAN Configuration in config-vlan Mode VLAN Configuration in VLAN Configuration Mode Saving VLAN Configuration Default Ethernet VLAN Configuration Creating or Modifying an Ethernet VLAN Page Deleting a VLAN Assigning Static-Access Ports to a VLAN Configuring Extended-Range VLANs Default VLAN Configuration Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN Displaying VLANs Configuring VLAN Trunks Trunking Overview 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface VLAN Configuration Configuring an Ethernet Interface as a Trunk Port Interaction with Other Features Configuring a Trunk Port Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Load Sharing Using STP Load Sharing Using STP Port Priorities Page Load Sharing Using STP Path Cost Configuring VMPS Understanding VMPS Dynamic Port VLAN Membership VMPS Database Configuration File 13-27 Default VMPS Configuration Table13-6 shows the de fault VM PS and dy nami c po rt c on figuration on clie nt sw itch es. Table13-6 Default VMPS Client and Dynamic Port Configuration VMPS Configuration Guidelines Configuring the VMPS Client Entering the IP Address of the VMPS Configuring Dynamic Access Ports on VMPS Clients Reconfirming VLAN Memberships Changing the Reconfirmation Interval Changing the Retry Count Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership 13-32 VMPS Configuration Example Catalyst 2950 Switch 2 Catalyst 3500 XL Switch 9 Configuring VTP Understanding VTP The VTP Domain VTP Modes VTP Advertisements VTP Version 2 VTP Pruning Page Configuring VTP Default VTP Configuration VTP Configuration Options VTP Configuration in Global Configuration Modes VTP Configuration in VLAN Configuration Mode VTP Configuration Guidelines Domain Names Passwords Upgrading from Previous Software Releases VTP Version Configuring a VTP Server Page Configuring a VTP Client Disabling VTP (VTP Transparent Mode) Enabling VTP Version 2 Enabling VTP Pruning Adding a VTP Client Switch to a VTP Domain Monitoring VTP Configuring Voice VLAN Understanding Voice VLAN Configuring Voice VLAN Default Voice VLAN Configuration Voice VLAN Configuration Guidelines Configuring a Port to Connect to a Cisco 7960 IP Phone Configuring Ports to Carry Voice Traffic in 802.1Q Frames Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames Overriding the CoS Priority of Incoming Data Frames Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames Displaying Voice VLAN Configuring IGMP Snooping and MVR Understanding IGMP Snooping Joining a Multicast Group Page Leaving a Multicast Group Immediate-Leave Processing Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling or Disabling IGMP Snooping Setting the Snooping Method Configuring a Multicast Router Port Configuring a Host Statically to Join a Group Enabling IGMP Immediate-Leave Processing Displaying IGMP Snooping Information Page Page Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application Page Configuring MVR Default MVR Configuration MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters Configuring MVR Interfaces Page Displaying MVR Information Configuring IGMP Filtering Default IGMP Filtering Configuration Configuring IGMP Profiles Applying IGMP Profiles Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration Page Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Default Storm Control Configuration Enabling Storm Control Disabling Storm Control Configuring Protected Ports Configuring Port Security Understanding Port Security Secure MAC Addresses Security Violations Default Port Security Configuration Port Security Configuration Guidelines Enabling and Configuring Port Security Page Page Enabling and Configuring Port Security Aging Page Displaying Port-Based Traffic Control Settings Configuring UDLD Understanding UDLD Page Configuring UDLD Default UDLD Configuration Enabling UDLD Globally Enabling UDLD on an Interface Resetting an Interface Shut Down by UDLD Displaying UDLD Status Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page Configuring SPAN and RSPAN Understanding SPAN and RSPAN Page SPAN and RSPAN Concepts and Terminology SPAN Session Traffic Types Source Port Destination Port Reflector Port SPAN Traffic SPAN and RSPAN Interaction with Other Features SPAN and RSPAN Session Limits Default SPAN and RSPAN Configuration Configuring SPAN SPAN Configuration Guidelines Creating a SPAN Session and Specifying Ports to Monitor Page Removing Ports from a SPAN Session Configuring RSPAN RSPAN Configuration Guidelines Creating an RSPAN Session Creating an RSPAN Destination Session Removing Ports from an RSPAN Session Displaying SPAN and RSPAN Status Configuring RMON Understanding RMON Configuring RMON Default RMON Configuration Configuring RMON Alarms and Events Page Configuring RMON Collection on an Interface Displaying RMON Status Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Page Synchronizing Log Messages Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Page Limiting Syslog Messages Sent to the History Table and to SNMP Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables SNMP Notifications Configuring SNMP Default SNMP Configuration SNMP Configuration Guidelines Disabling the SNMP Agent Configuring Community Strings Configuring SNMP Groups and Users Page Configuring SNMP Notifications Page Page Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP SNMP Examples Displaying SNMP Status Page Configuring Understanding ACLs Handling Fragmented and Unfragmented Traffic Understanding Access Control Parameters Page Guidelines for Applying ACLs to Physical Interfaces Configuring ACLs Unsupported Features Creating Standard and Extended IP ACLs ACL Numbers Creating a Numbered Standard ACL Creating a Numbered Extended ACL Page Page Creating Named Standard and Extended ACLs Page Applying Time Ranges to ACLs Page Including Comments About Entries in ACLs Creating Named MAC Extended ACLs Creating MAC Access Groups Applying ACLs to Terminal Lines or Physical Interfaces Applying ACLs to a Terminal Line Applying ACLs to a Physical Interface Displaying ACL Information Displaying ACLs Displaying Access Groups Examples for Compiling ACLs Page Numbered ACL Examples Extended ACL Examples Named ACL Example Commented IP ACL Entry Examples Page Configuring Understanding QoS Basic QoS Model Classification Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Mapping Tables Queueing and Scheduling How Class of Service Works Port Priority Port Scheduling CoS and WRR Configuring QoS Default QoS Configuration Configuration Guidelines Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain Page Configuring the CoS Value for an Interface Configuring Trusted Boundary Page Enabling Pass-Through Mode Configuring a QoS Policy Classifying Traffic by Using ACLs Page Page Page Classifying Traffic by Using Class Maps Classifying, Policing, and Marking Traffic by Using Policy Maps Page Page 25-24 All the maps are globally defined. Configuring CoS Maps Note This feature is available only if your switch is running the EI . This section describes how to configure the CoS maps: Configuring the CoS-to-DSCP Map, page 25-25 Configuring the DSCP-to-CoS Map, page 25-26 Configuring the CoS-to-DSCP Map Configuring the DSCP-to-CoS Map Configuring CoS and WRR Configuring CoS Priority Queues Configuring WRR Displaying QoS Information 25-29 QoS Configuration Examples QoS Configuration for the Existing Wiring Closet QoS Configuration for the Intelligent Wiring Closet Page Page Configuring EtherChannels Understanding EtherChannels Understanding Port-Channel Interfaces Understanding the Port Aggregation Protocol PAgP Modes Physical Learners and Aggregate-Port Learners PAgP Interaction with Other Features Understanding Load Balancing and Forwarding Methods Page Configuring EtherChannels Default EtherChannel Configuration EtherChannel Configuration Guidelines Configuring Layer 2 EtherChannels Page Configuring EtherChannel Load Balancing Configuring the PAgP Learn Method and Priority Displaying EtherChannel and PAgP Status Page Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Recovering from a Lost or Forgotten Password Page Recovering from a Command Switch Failure Replacing a Failed Command Switch with a Cluster Member Replacing a Failed Command Switch with Another Switch Recovering from Lost Member Connectivity Preventing Autonegotiation Mismatches GBIC Module Security and Identification Using Debug Commands Enabling Debugging on a Specific Feature Enabling All-System Diagnostics Redirecting Debug and Error Message Output Using the crashinfo File A Supported MIBs MIB List Using FTP to Access the MIB Files INDEX Numerics A Page B C Page Page D E F G H I Page J L M Page N O P Page Q R Page S Page Page Page T U V Page W X