11-44
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to
use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the
RADIUS server:
Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands. For more information, see the “Configuring Settings
for All RADIUS Servers” section on page 10-35.
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch. For more information,
see the RADIUS server documentation.
Configuring the Host Mode
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an
IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to
auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA),
which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same
switch port. This procedure is optional.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Specify the port to which multiple hosts are indirectly attached, and enter
interface configuration mode.
Step 3 authentication host-mode [multi-auth |
multi-domain | multi-host |
single-host]
or
dot1x host-mode {multi-host |
multi-domain}
Allow multiple hosts (clients) on an 802.1x-authorized port.
The keywords have these meanings:
multi-auth–Allow one client on the voice VLAN and multiple
authenticated clients on the data VLAN.
Note The multi-auth keyword is only available with the
authentication host-mode command.
multi-host–Allow multiple hosts on an 802.1x-authorized port after
a single host has been authenticated.
multi-domain–Allow both a host and a voice device, such as an IP
phone (Cisco or non-Cisco), to be authenticated on an
IEEE 802.1x-authorized port.
Note You must configure the voice VLAN for the IP phone when the
host mode is set to multi-domain. For more information, see
Chapter 17, “Configuring Voice VLAN.
Make sure that the dot1x port-control interface configuration command
set is set to auto for the specified interface.
Step 4 end Return to privileged EXEC mode.