Chapter 54: 802.1x Port-based Network Access Control
736 Section VIII: Port Security
Configuring Authenticator Ports
Designating
Authenticator
Ports
Before configuring authenticator ports, you have to designate them with
one of three DOT1X PORT-CONTROL commands. The command you
use is determined by whether or not the switch is part of an active network.
If the switch is not part of an active network or is not forwarding traffic, you
can use the DOT1X PORT-CONTROL AUTO command to designate the
authenticator ports. This command designates ports such that they
immediately begin to function as authenticator ports, blocking all traffic
until supplicants log on to the RADIUS server. This example of the
command configures ports 1 and 5 to immediately commence functioning
as authenticator ports.
awplus> enable
awplus# configure terminal
awplus(config)# interface port1.0.1,port1.0.5
awplus(config-if)# dot1x port-control auto
Using the DOT1X PORT-CONTROL AUTO command when the switch is
part of a live network interrupts network operations because the
designated ports stop forwarding traffic until the clients log on. If your
switch is part of an active network, the DOT1X PORT-CONTROL FORCE-
UNAUTHORIZED command would probably be more appropriate
because the authenticator ports continue forwarding packet without any
authentication. This example of the command designates port 16 as an
authenticator port that is to continue to forward packets:
awplus> enable
awplus# configure terminal
awplus(config)# interface port1.0.16
awplus(config-if)# dot1x port-control force-unauthorized
Designating the
Authentication
Methods
After designating a port as an authenticator port, you have to designate its
authentication method. The authentication method of a port can be either
802.1x username and password combination or MAC address. The
methods are explained in “Authentication Methods” on page 720.
You do not have to enter any command to set a port to 802.1x username
and password authentication because that is the default setting. But to
configure a port to the MAC address authentication method, you use the
AUTH-MAC ENABLE command. This example configures port 16 as an
authenticator port that uses the MAC address authentication method:
awplus> enable
awplus# configure terminal
awplus(config)# interface port1.0.16
awplus(config-if)# dot1x port-control auto
awplus(config-if)# auth-mac enable
To Next Page
Loading...
