Support User Manuals

Cisco Systems 3560 Frozen Dessert Maker User Manual

Open as PDF

of 1288

10-37

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

Configuring 802.1x Authentication

To configure 802.1x port-based authentication, you must enable authentication, authorization, and

accounting (AAA) and specify the authentication method list. A method list describes the sequence and

authentication method to be queried to authenticate a user.

To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the

switch for all network-related service requests.

This is the 802.1x AAA process:

Step 1 A user connects to a port on the switch.

Step 2 Authentication is performed.

Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Step 4 The switch sends a start message to an accounting server.

Step 5 Re-authentication is performed, as necessary.

Step 6 The switch sends an interim accounting update to the accounting server, that is based on the result of

re-authentication.

Step 7 The user disconnects from the port.

Step 8 The switch sends a stop message to the accounting server.

Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

aaa new-model Enable AAA.

Step 3

aaa authentication dot1x {default}

method1

Create an 802.1x authentication method list.

To create a default list to use when a named list is not specified in the

authentication command, use the default keyword followed by the

method to use in default situations. The default method list is

automatically applied to all ports.

For method1, enter the group radius keywords to use the list of all

RADIUS servers for authentication.

Note Though other keywords are visible in the command-line help

string, only the group radius keywords are supported.

Step 4

dot1x system-auth-control Enable 802.1x authentication globally on the switch.

Step 5

aaa authorization network {default}

group radius

(Optional) Configure the switch to use user-RADIUS authorization for all

network-related service requests, such as per-user ACLs or VLAN

assignment.

For per-user ACLs, single-host mode must be configured. This setting is

the default.

Step 6

radius-server host ip-address (Optional) Specify the IP address of the RADIUS server.

Step 7

radius-server key string (Optional) Specify the authentication and encryption key used between

the switch and the RADIUS daemon running on the RADIUS server.

previous next