Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
69
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
• Multi-authentication mode authenticates all the devices that gain access to the network through a
single switch port, such as devices connected through IP phones.
• Multi-authentication mode is more secure than multi-host mode (which also allows multiple data
devices) because it authenticates all the devices that try to gain access to the network.
Step 1 Run the show run command on your switch to ensure that your access interface connections are set up.
This output is what you inherit after performing the “Access Interface Connectivity” workflow
configuration for an interface connected to an IP phone.
Step 2 (Optional) If you observe excessive timeouts, fine-tune the IEEE 802.1x timers and variables. Timers
and variables are important for controlling the IEEE 802.1x authenticator process on the switch.
We recommend that you do not change the IEEE 802.1x timer and variable default settings, unless
necessary.
Begin in interface configuration mode:
Switch#show running-config int Te3/0/12
Building configuration...
Current configuration : 766 bytes
!
interface TenGigabitEthernet3/0/12
switchport mode access
switchport block unicast
switchport voice vlan 2
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
load-interval 30
trust device cisco-phone
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
auto qos voip cisco-phone
macro description CISCO_PHONE_EVENT
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 15
end
dot1x timeout tx
-period 30
dot1x max-reauth-req 2
authentication timer restart 60
dot1x timeout quiet-period 60
To Next Page
Loading...
Need help?
General