10-43
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
Configuring 802.1x Authentication
To configure 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the 802.1x AAA process:
Step1 A user connects to a port on the switch.
Step2 Authentication is performed.
Step3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step4 The switch sends a start message to an accounting server.
Step5 Re-authentication is performed, as necessary.
Step6 The switch sends an interim accounting update to the accounting server, that is based on the result of
re-authentication.
Step3 aaa authentication dot1x {default}
method1
Create an 802.1x authentication method list.
To create a default list to use when a named list is not specified in the
authentication command, use the default keyword followed by the
method that is to be used in default situations. The default method list is
automatically applied to all ports.
For method1, enter the group radius keywords to use the list of all
RADIUS servers for authentication.
Note Though other keywords are visible in the command-line help
string, only the group radius keywords are supported.
Step4 interface interface-id Specify the port connected to the client that is to be enabled for802.1x
authentication, and enter interface configuration mode.
Step5 switchport mode access Set the port to access mode.
Step6 authentication violation shutdown |
restrict | protect | replace}
or
dot1x violation-mode {shutdown |
restrict | protect}
Configure the violation mode. The keywords have these meanings:
shutdown–Error disable the port.
restrict–Generate a syslog error.
protect–Drop packets from any new device that sends traffic to the
port.
replace–Removes the current session and authenticates with the new
host.
Step7 end Return to privileged EXEC mode.
Step8 show authentication
or
show dot1x
Verify your entries.
Step9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose