46-66
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
The following example shows a full configuration of 802.1X with Inaccessible Authentication Bypass,
including required AAA and RADIUS configuration as specified in the “Enabling 802.1X
Authentication” section on page 46-31 and “Configuring Switch-to-RADIUS-Server Communication”
section on page 46-35.
The RADIUS server configured is at IP address 10.1.2.3, using port 1645 for authentication and 1646
for accounting. The RADIUS secret key is mykey. The username used for the test server probes is
randomizes. The test probes for both living and dead servers are generated once per minute. The
interface FastEthernet 3/1 is configured to critically authenticate into VLAN 17 when AAA becomes
unresponsive, and to reinitialize automatically when AAA becomes available again.
Cisco IOS Release 12.2(50)SG and later
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# radius-server host 10.1.2.3 auth-port 1645 acct-port 1646 test username
randomuser idle-time 1 key mykey
Switch(config)# radius deadtime 1
Switch(config)# radius dead-criteria time 15 tries 3
Switch(config)# interface f3/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication event server dead action authorize vlan 17
Switch(config-if)# end
Step 9
[Catalyst 4900M, Catalyst 4948E, Catalyst
4948E-F, Supervisor Engine 6-E, and
Supervisor Engine 6L-E]
Cisco IOS Release 15.0(2)SG and later
[Supervisor Engine 7-E, Supervisor Engine
7L-E, Supervisor Engine 8-E)]
Cisco IOS Release XE 3.2.0SG and later
Switch(config-if)# authentication
event server dead action authorize
voice
(Optional) Enables Inaccessible Authentication Bypass for voice clients
on the port. This command applies to Multiple Domain Authentication
and Multiple Authentication modes.
To disable the feature, use the no authentication event server dead
action authorize voice interface configuration command.
Step 10
[Catalyst 4900M, Catalyst 4948E, Catalyst
4948E-F, Supervisor Engine 6-E, and
Supervisor Engine 6L-E]
Cisco IOS Release 12.2(50)SG and later
[Supervisor Engine 7-E, Supervisor Engine
7L-E, Supervisor Engine 8-E)]
Cisco IOS Release 15.0(1)XO and later
Switch(config-if)# authentication
event server alive action
reinitialize
Cisco IOS Release 12.2(46)SG or earlier
releases
Switch(config-if)# dot1x critical
recovery action reinitialize
(Optional) Specifies that the port should be reinitialized if it is critically
authorized and RADIUS becomes available.
The default is not to reinitialize the port.
Step 11
Switch(config)# end
Returns to privileged EXEC mode.
Step 12
Switch# show dot1x interface
interface-id details
(Optional) Verifies your entries.
Step 13
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
