Configuring Port-Based and User-Based Access Control (802.1X)

802.1X Open VLAN Mode

 

Note that as an alternative, you can configure the switch to use local

 

password authentication instead of RADIUS authentication. However,

 

this is less desirable because it means that all clients use the same

 

passwords and have the same access privileges. Also, you must use 802.1X

 

supplicant software that supports the use of local switch passwords.

 

 

C a u t i o n

Ensure that you do not introduce a security risk by allowing Unauthorized-

 

Client VLAN access to network services or resources that could be compro-

 

mised by an unauthorized client.

 

 

Configuring General 802.1X Operation: These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.

1.Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to auto (the default). (Refer to “1. Enable 802.1X Authentication on Selected Ports” on page 10-19.)This setting requires a client to support 802.1X authentication (with 802.1X supplicant operation) and to provide valid credentials to get network access.

Syntax: aaa port-access authenticator < port-list> control auto

Activates 802.1X port-access on ports you have configured as authenticators.

2.Configure the 802.1X authentication type. Options include:

Syntax: aaa authentication port-access < local eap-radius chap-radius >

Determines the type of RADIUS authentication to use.

local: Use the switch’s local username and password for supplicant authentication (the default).

eap-radiusUse EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server.

chap-radiusUse CHAP-RADIUS (MD5) authentication. (Refer to the documentation for your RADIUS server software.)

10-41