Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
70
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Step 3 Set the timers on the appropriate interfaces.
These timers and variables control IEEE 802.1x authenticator operations when end devices stop
functioning during authentication.
Begin in interface configuration mode.
Reference
For detailed information about the IEEE 802.1x timers and variables, see the Wired 802.1x Deployment
Guide.
Step 4 Enable MAC authentication bypass (MAB) from interface configuration mode to authenticate
supplicants that do not support IEEE 802.1x authentication.
When MAB is enabled, the switch uses the MAC address of the device as its identity. The authentication
has a database of MAC addresses that are allowed network access.
We recommend that you enable MAB to support non-802.1x-compliant devices. MAB also is an
alternate authentication method when end devices fail IEEE 802.1x authentication due to restricted ACL
access.
Begin in interface configuration mode.
Step 5 Configure IEEE 802.1x on the appropriate interfaces.
When you configure an IEEE 802.1x parameter on a port, a dot1x authenticator is automatically created
on the port. When that occurs, the dot1x pae authenticator command must also be configured to ensure
that the dot1x authentication will work on legacy configurations.
Begin in interface configuration mode:
Step 6 Enable access control and IEEE 802.1x authentications.
Begin in global configuration mode.
dot1x timeout supp-timeout 30
dot1x max-req 2
authentication port-control auto
dot1x pae authenticator
!Enable new access control
!
aaa new-model
!
!Set authentication list for 802.1x
!
aaa authentication dot1x default group radius
!
!Enable 802.1x authentication
!
dot1x system-auth-control
To Next Page
Loading...
Need help?
General