Configuring Port-Based and User-Based Access Control (802.1X)

802.1X Open VLAN Mode

3.If you selected either eap-radiusor chap-radiusfor step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch.

Syntax: radius host < ip-address> [oobm]

Adds a server to the RADIUS configuration.

For switches that have a separate out-of-band management port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.

[key < server-specific key-string >]

Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key.

Syntax: radius-server key < global key-string>

Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key.

4.Activate authentication on the switch.

Syntax: aaa port-access authenticator active

Activates 802.1X port-access on ports you have configured as authenticators.

5.Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.

N o t e

If you want to implement the optional port-security feature on the switch, you

 

should first ensure that the ports you have configured as 802.1X authenticators

 

operate as expected. Then refer to “Option For Authenticator Ports: Configure

 

Port-Security To Allow Only 802.1X-Authenticated Devices” on page 10-45.

 

After you complete steps 1 and 2, the configured ports are enabled for 802.1X

 

 

authentication (without VLAN operation), and you are ready to configure

 

VLAN Operation.

10-42