Configuring Port-Based and User-Based Access Control (802.1X)

Overview

Overview

Feature

Default

Menu

CLI

Web

 

 

 

 

 

Configuring Switch Ports as 802.1X Authenticators Configuring 802.1X Open VLAN Mode

Configuring Switch Ports to Operate as 802.1X Supplicants Displaying 802.1X Configuration, Statistics, and Counters How 802.1X Affects VLAN Operation

RADIUS Authentication and Accounting

Disabled

n/a

page 10-18

n/a

Disabled

n/a

page 10-29

n/a

Disabled

n/a

page 10-47

n/a

n/a

n/a

page 10-51

n/a

n/a

n/a

page 10-65

n/a

Refer to chapter 5, “RADIUS Authentication, Authorization, and Accounting”

Why Use Port-Based or User-Based Access Control?

Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a network. Also, the use of DHCP services and zero configuration make access to networking services easily available. This exposes the network to unauthorized use and malicious attacks. While access to the network should be made easy, uncontrolled and unauthorized access is usually not desirable. 802.1X simplifies security management by providing access control along with the ability to control user profiles from up to three RADIUS servers while allowing a given user to use the same entering valid user credentials for access from multiple points within the network.

General Features

802.1X on the switches covered in this guide includes the following:

Switch operation as both an authenticator (for supplicants having a point- to-point connection to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP protocol.

Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).

User-Based access control option with support for up to 32 authenti- cated clients per-port.

10-3