Configuring 802.1X ··············································································································································· 321
802.1X overview ·························································································································································321
802.1X architecture ············································································································································321 Access control methods ······································································································································321 Controlled/uncontrolled port and port authorization status ···········································································322 Packet formats······················································································································································322 EAP over RADIUS ················································································································································323 Initiating 802.1X authentication ························································································································324 802.1X authentication procedures····················································································································325 802.1X timers ······················································································································································328 Using 802.1X authentication with other features ····························································································329
Configuration prerequisites·········································································································································331 Recommended configuration procedure····················································································································332 Configuring 802.1X globally ·····································································································································332 Configuring 802.1X on a port ···································································································································333 Configuring an 802.1X guest VLAN·················································································································335 Configuring an
Configuring AAA ···················································································································································· 352
Overview·······································································································································································352
AAAapplication··················································································································································352
Configuration prerequisites·········································································································································353 Recommended configuration procedure···········································································································353 Configuring an ISP domain································································································································354 Configuring authentication methods for the ISP domain·················································································355 Configuring authorization methods for the ISP domain ··················································································356 Configuring accounting methods for the ISP domain······················································································357
AAA configuration example ·······································································································································359
Configuring RADIUS ··············································································································································· 363
Overview·······································································································································································363 Client/server model ············································································································································363 Security and authentication mechanisms ··········································································································364 Basic RADIUS message exchange process ······································································································364 RADIUS packet format ········································································································································365 Extended RADIUS attributes ·······························································································································367 Protocols and standards ·····································································································································368
Configuring a RADIUS scheme···································································································································368 Configuring common parameters······················································································································369 Adding RADIUS servers ······································································································································373 RADIUS configuration example ··································································································································374 Configuration guidelines ·············································································································································378
Configuring users ···················································································································································· 380
Configuring a local user··············································································································································380 Configuring a user group············································································································································382
Managing certificates ············································································································································· 384
Overview·······································································································································································384 PKI terms·······························································································································································384 PKI architecture····················································································································································384 How PKI works·····················································································································································385
viii