10-63
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
Configuring an Authenticator and a Supplicant Switch with NEAT
Configuring this feature requires that one switch outside a wiring closet is configured as a supplicant and
is connected to an authenticator switch.
For overview information, see the “802.1x Supplicant and Authenticator Switches with Network Edge
Access Topology (NEAT)” section on page10-33.
Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the
interface as a trunk after the supplicant is successfully authenticated.
Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:
This example shows how to configure a switch as an 802.1x authenticator:
Switch# configure terminal
Switch(config)# cisp enable
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# spanning-tree portfast trunk
Beginning in privileged EXEC mode, follow these steps to configure a switch as a supplicant:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 cisp enable Enable CISP.
Step3 interface interface-id Specify the port to be configured, and enter interface configuration
mode.
Step4 switchport mode access Set the port mode to access.
Step5 authentication port-control auto Set the port-authentication mode to auto.
Step6 dot1x pae authenticator Configure the interface as a port access entity (PAE) authenticator.
Step7 spanning-tree portfast Enable Port Fast on an access port connected to a single workstation or
server.
Step8 end Return to privileged EXEC mode.
Step9 show running-config interface
interface-id
Verify your configuration.
Step10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 cisp enable Enable CISP.
Step3 dot1x credentials profile Create 802.1x credentials profile. This must be attached to the port that
is configured as supplicant.
Step4 username suppswitch Create a username.