Configuring Port-Based and User-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

4. Enter the RADIUS Host IP Address(es)

If you select either eap-radiusor chap-radiusfor the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to chapter 5, “RADIUS Authen- tication, Authorization, and Accounting”.

Syntax: radius host < ip-address> [oobm]

Adds a server to the RADIUS configuration.

For switches that have a separate out-of-band management port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.

[key < server-specific key-string >]

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key.

Syntax: radius-server key < global key-string>

Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key.

5. Enable 802.1X Authentication on the Switch

After configuring 802.1X authentication as described in the preceding four sections, activate it with this command:

Syntax: aaa port-access authenticator active

Activates 802.1X port-access on ports you have configured as authenticators.

10-25