Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Ensure that the switch is connected to a RADIUS server configured

 

to support authentication requests from clients using ports config-

 

ured as 802.1X authenticators. (The RADIUS server should not be on

 

the Unauthorized-Client VLAN.)

 

Note that as an alternative, you can configure the switch to use local

 

password authentication instead of RADIUS authentication. However,

 

this is less desirable because it means that all clients use the same

 

passwords and have the same access privileges. Also, you must use 802.1X

 

supplicant software that supports the use of local switch passwords.

 

 

C a u t i o n

Ensure that you do not introduce a security risk by allowing Unauthorized-

 

Client VLAN access to network services or resources that could be compro-

 

mised by an unauthorized client.

 

 

Configuring General 802.1X Operation: These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.

1.Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the (default) port-control parameter is set to auto. (Refer to “1. Enable 802.1X Authentication on Selected Ports” on page 8-15.) This setting requires a client to support 802.1X authenti- cation (with 802.1X supplicant operation) and to provide valid creden- tials to get network access.

Syntax: aaa port-access authenticator e < port-list> control auto

Activates 802.1X port-access on ports you have configured as authenticators.

2.Configure the 802.1X authentication type. Options include:

Syntax: aaa authentication port-access < local eap-radius chap-radius >

Determines the type of RADIUS authentication to use.

local: Use the switch’s local username and password for supplicant authentication (the default).

eap-radiusUse EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server.

chap-radiusUse CHAP-RADIUS (MD5) authentication. (Refer to the documentation for your RADIUS server software.)

8-28

Page 210
Image 210
HP 4100gl, 2650 (J4899A/B), 6108 Mised by an unauthorized client, Configure the 802.1X authentication type. Options include