92 Cisco LAN Switching Configuration Handbook
accessible ports. The authentication server authenticates each client connected to a
switch port and assigns the port to a VLAN before making available any services offered
by the switch or the LAN. Until the client is authenticated, 802.1X access control enables
only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to
which the client is connected. After authentication is successful, normal traffic can pass
through the port. Use the following steps to configure dynamic VLANs using 802.1x
with VLAN assignment:
1. Enable AAA authorization by using the network keyword to allow interface configu-
ration from the RADIUS server.
(global) RADIUS configuration
(global) radius-server host ip_address
(global) radius-server key key
(global) aaa new-model
(global) aaa authentication dot1x default group radius
(global) aaa authorization default group radius
(global) aaa authorization config-commands
2. Enable 802.1x authentication:
(global) dot1x system-auth-control
(global) dot1x max-req
(global) dot1x timeout quiet-period
(global) dot1x timeout tx-period
(global) dot1x timeout re-authperiod
(global) dot1x re-authentication
Note The VLAN assignment feature is automatically enabled when you configure 802.1X
authentication on an access port.
3. Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server
must return these attributes to the switch: [64] Tunnel-Type = VLAN [65] Tunnel-
Medium-Type = 802 [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID.
Note The dynamic VLAN mechanism:
â– RADIUS AV-Pairs used to send back VLAN configuration information to authen-
ticator.
To Next Page
Loading...
Need help?
General