Section 11-8. 802.1X Port Authentication

Previous page
Table of content
Next page

11-8. 802.1X Port Authentication

  • On most switches, ports are enabled by default and anyone who can plug into the port gains access to the network.

  • Port security using MAC addresses can control which devices can access a network on a given port but must be reconfigured if a device is moved.

  • 802.1X provides a standard method for authorizing ports using client certificates or usernames.

  • 802.1X uses a RADIUS server to provide authorization of a port for use.

  • Until an 802.1X port is authorized, it cannot be used to pass user traffic.

  • In 802.1X, the switch acts as a proxy between the client and the server to pass authentication information.

Configuration

To configure 802.1X port authentication, use the following steps.

1.

Enable 802.1X authentication globally:

COS

 
 set dot1x system-auth-control enable

IOS

N/A


On a COS switch, you must first enable the 802.1X authentication process globally on the switch before you can configure the ports for authorization.

2.

Specify the RADIUS server and key:

COS

 
 set radius server address set radius key string

IOS

 
 (global) radius-server host address key string


Because the 802.1X process relies on a RADIUS server, you must configure the switch with the address of the RADIUS server and the key used on the server.

3.

Create an authentication, authorization, accounting (AAA) model:

COS

N/A

IOS

 
 (global) aaa new-model (global) aaa authentication dot1x default group radius


For the IOS switch, you will enable 802.1X authentication by creating an AAA model using the commands listed.

4.

Enable 802.1x on the port:

COS

 
 set port dot1x mod/port port-control auto

IOS

[View full width]

 (interface) dot1x port-control {auto |  force-authorized | force-unauthorized}


After completing the previous steps, you can configure a port for 802.1X authorization. When a port is configured for 802.1X authentication, it will not pass user traffic until a RADIUS server sends authorization for the port.

Feature Example

This example shows the configuration for Ethernet port 3/6 to provide 802.1X authentication for a client using the RADIUS server 10.1.1.1 with a key string of funhouse.

An example of the Catalyst OS configuration follows:

 Catalyst (enable)>set dot1x system-auth-control enable Catalyst (enable)>set radius server 10.1.1.1 Catalyst (enable)>set radius key funhouse Catalyst (enable)>set port dot1x 3/6 port-control auto

An example of the Supervisor IOS configuration follows:

 Switch(config)#radius-server host 10.1.1.1 key funhouse Switch(config)#aaa new-model Switch(config)#aaa authentication dot1x default group radius Switch(config)#interface fastethernet 3/6 Switch(config-if)#dot1x port-control auto Switch(config-if)#end Switch(config)#copy running-config startup-config


Previous page
Table of content
Next page
Cisco Field Manual. Catalyst Switch Configuration
Cisco Field Manual. Catalyst Switch Configuration
ISBN: 1587050439
EAN: N/A
Year: 2001
Pages: 150
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
WebLogic: The Definitive Guide
Developing Tablet PC Applications (Charles River Media Programming)
Visual C# 2005 How to Program (2nd Edition)
Junos Cookbook (Cookbooks (OReilly))
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy