49-65
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
The following example shows a full configuration of 802.1X with Inaccessible Authentication Bypass, including required AAA
and RADIUS configuration as specified in the “Enabling 802.1X Authentication” section on page 49-29 and “Configuring
Switch-to-RADIUS-Server Communication” section on page 49-32.
The RADIUS server configured is at IP address 10.1.2.3, using port 1645 for authentication and 1646 for accounting. The
RADIUS secret key is mykey. The username used for the test server probes is randomizes. The test probes for both living and
dead servers are generated once per minute. The interface FastEthernet 3/1 is configured to critically authenticate into VLAN
17 when AAA becomes unresponsive, and to reinitialize automatically when AAA becomes available again.
Cisco IOS Release 12.2(50)SG and later
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# radius-server host 10.1.2.3 auth-port 1645 acct-port 1646 test username randomuser idle-time
1 key mykey
Switch(config)# radius-server deadtime 1
Switch(config)# radius-server dead-criteria time 15 tries 3
Switch(config)# interface f3/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication event server dead action authorize vlan 17
Switch(config-if)# end
Switch# show dot1x int fastethernet 3/1 details
Dot1x Info for FastEthernet3/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Critical-Auth = Enabled
Critical Recovery Action = Reinitialize
Critical-Auth VLAN = 17
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0000.0000.0001
Auth SM State = AUTHENTICATING
Auth BEND SM Stat = RESPONSE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Critical-Auth
Operational HostMode = SINGLE_HOST
Vlan Policy = 17
Switch#
Cisco IOS Release 12.2(46)SG or earlier
Switch# configure terminal
Switch(config)# aaa new-model
To Next Page
Loading...
