Configuring Port-Based and User-Based Access Control (802.1X)

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches

Supplicant Port Configuration

Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any supplicant -related parameters.

Syntax: [no] aaa port-access supplicant [ethernet] < port-list>

Configures a port as a supplicant with either the default supplicant settings or any previously configured supplicant set- tings, whichever is most recent. The “no” form of the command disables supplicant operation on the specified ports.

Configuring a Supplicant Switch Port. You must enable supplicant operation on a port before changing the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure. If the intended authenticator port uses RADIUS authentication, then use the identity and secret options to configure the RADIUS-expected credentials on the supplicant port. If the intended authenticator port uses Local 802.1X authentication, then use the identity and secret options to configure the authenticator switch’s local username and password on the supplicant port.

Syntax: aaa port-access supplicant [ethernet] < port-list>

To enable supplicant operation on the designated ports, execute this command without any other parameters. After doing this, you can use the command again with the following parameters to configure supplicant operAtion. (Use one instance of the command for each parameter you want to configure The no form disables supplicant operation on the designated port(s).

[identity < username >]

Sets the username and password to pass to the authenticator port when a challenge-request packet is received from the authenticator port due to an authentication request. If the intended authenticator port is configured for RADIUS authentication, then < username > and < password > must be the username and password expected by the RADIUS server. If the intended authenticator port is configured for Local authentication, then < username > and < password > must be the username and password configured on the Authenticator switch. (Default: Null.)

10-49