Configuring Security
802.1X
Cisco Small Business 300 Series Managed Switch Administration Guide 213
16
For a device to be authenticated and authorized at a port with DVA enabled:
• The RADIUS server must authenticate the device and dynamically assign a
VLAN to the device.
• The assigned VLAN must not be the default VLAN and must have been
created at the switch.
• The switch must not be configured to use both a DVA and a MAC-based
VLAN group together.
• A RADIUS server must support DVA with RADIUS attributes tunnel-type
(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-
group-id = a VLAN ID.
Authentication Methods
The authentication methods can be:
• 802.1x—The switch supports the authentication mechanism as described in
the standard to authenticate and authorize 802.1x supplicants.
• MAC-based—The switch can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The switch
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for
username and password must be entered in lower case and with no
deliminating characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port:
- A Guest VLAN must be defined
- The port must be Guest VLAN enabled.
- The packets from the first supplicant at the port before it is authorized
must be untagged packets.
You can configure a port to use 802.1x, MAC-based, or 802.1x and MAC-based
authentication. If a port is configured to use both 802.1x and MAC-based
authentication, 802.1x supplicant has precedence over non-802.1x device. The
802.1x supplicant preempts an authorized but non-802.1x device at a port that is
configured with a single session.
To Next Page
Loading...
