CHAPTER
29-1
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
29
Understanding and Configuring 802.1X Port-Based Authentication
This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized
client devices from gaining access to the network.
This chapter includes the following major sections:
Understanding 802.1X Port-Based Authentication, page 29-1
How to Configure 802.1X, page 29-13
Displaying 802.1X Statistics and Status, page 29-28
Note For complete syntax and usage information for the switch commands used in this chapter, refer to the
Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.

Understanding 802.1X Port-Based Authentication

802.1X defines 802.1X port-based authentication as a client-server based access control and
authentication protocol that restricts unauthorized clients from connecting to a LA N through publicly
accessible ports. An authentication server validates each supplicant (client) connected to an
authenticator (network access switch) port before making available any services offered by the switch or
the LAN.
Note 802.1X support requires an authentication server that is configured for Remote Authentication Dial-In
User Service (RADIUS). 802.1X authentication does not work unless the network access switch can
route packets to the configured authentication RADIUS server. To verify that the switch can route
packets, you must ping the server from the switch.
Until a client is authenticated, only Extensible Authentication Protocol over LAN (EAPOL) traffic is
allowed through the port to which the client is connected. After authentication suc ceeds, normal traffic
can pass through the port.
To configure 802.1X port-based authentication, you need to understand the concepts in these sections:
Device Roles, page 29-2
802.1x and Network Access Control, page 29-3