To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.
To allow per-user ACLs andVLAN assignment, you need to enable AAA authorization to configure the switch for all network-related service requests.
Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication. This procedure is required.
|
Command |
Purpose | |
|---|---|---|
|
Step 1 |
configure terminal |
Enter global configuration mode. |
|
Step 2 |
aaa new-model |
Enable AAA. |
|
Step 3 |
aaa authentication dot1x {default} method1 [method2...] |
Create an 802.1X authentication method list. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. Enter at least one of these keywords: • • |
|
Step 4 |
aaa authorization network {default} group radius |
(Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment. Note |
|
Step 5 |
aaa authorization config-commands |
(Optional) Configure the switch to allow per-user ACLs by enabling configuration mode commands. |
|
Step 6 |
interface interface-id |
Enter interface configuration mode, and specify the interface connected to the client that is to be enabled for 802.1X authentication. |
|
Step 7 |
dot1x port-control auto |
Enable 802.1X authentication on the interface. For feature interaction information with trunk, dynamic, dynamic-access, EtherChannel, secure, and SPAN ports, see the "802.1X Configuration Guidelines" section. |
|
Step 8 |
end |
Return to privileged EXEC mode. |
|
Step 9 |
show dot1x |
Verify your entries. Check the Status column in the 802.1X Port Summary section of the display. An enabled status means the port-control value is set either to auto or to force-unauthorized. |
|
Step 10 |
copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1X AAA authorization, use the no aaa authorization global configuration command. To disable 802.1X authentication, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command.
This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1:
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
group radius—Use the list of all RADIUS servers for authentication.