29-19
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Conf iguring 802.1X Port-Based Authentication
How to Configure 802.1X
Refer to the following Cisco IOS security documentation for informatio n on how to configure AAA
system accounting:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
Configuring RADIUS-Provided Session Timeouts
You can configure the Catalyst 4500 series switch to use a RADIUS-provided reauthentication timeout.
To configure RADIUS-provided timeouts, perform this task:
This example shows how to configure the switch to derive the re-authentication period from the server:
Switch# configure terminal
Switch(config)# interface fa3/1
Switch(config-if)# dot1x timeout reauth-period server
Switch(config-if)# end
Switch)# show dot1x interface fa2/1
Enabling 802.1X Accounting
Note If you plan to implement system-wide accounting, you should also configure 802.1X accoun ting.
Moreover, you need to inform the accounting server of the system reload event when the system is
reloaded. Doing this, ensures that the accounting server knows that all outstanding 802.1X sessions on
this system are closed.
After you configure 802.1X authentication and switch-to-RADIUS server co mmunication, perform this
task to enable 802.1X accounting:
Command Purpose
Step1 Switch# configure terminal Enters global configuration mode.
Step2 Switch(config)# interface
interface-id
Enters interface configuration mode.
Step3 Switch(config-if)# dot1x-timeout
reauth-period {
interface
| server}
Sets the re-authentication period (seconds).
Step4 Switch(config-if)# end Returns to privileged EXEC mode.
Step5 Switch # show dot1x
interface
Verifies your entries.
Step6 Switch # copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
Step1 Switch# configure terminal Enters global configuration mode.
Step2 Switch(config)# aaa accounting
dot1x default start-stop group
radius
Enables 802.1X accounting, using the list of all RADIUS servers.