Authentication Configuration Example
10-26 Configuring User Authentication
Configuring MultiAuth Authentication
MultiAuth authentication must be set to multi whenever multiple users of 802.1x need to be
authenticated or whenever any MAC-based or PWA authentication is present. For ports where no
authentication is present, such as switch to switch, or switch to router connections, you should
also set MultiAuth port mode to force authenticate to assure that traffic is not blocked by a failed
authentication. For purposes of this example, we will limit authentication to a maximum of 6 users
per port.
The following CLI input
• Sets MultiAuth authentication to multi.
• Sets ports with switch to switch and switch to router connections to force authenticate.
• Sets the maximum number of users that can authenticate on each port to 6.
System(rw)->set multiauth mode multi
System(rw)->set multiauth port mode force-auth ge.1.5-7
System(rw)->set multiauth port numusers 6 ge.1.5-7
System(rw)->set multiauth port mode force-auth ge.1.19-24
System(rw)->set multiauth port numusers 6 ge.1.19-24
This completes the MultiAuth authentication configuration piece for this example. Keep in mind
that you would want to use the set multiauth precedence command to specify which
authentication method should take precedence, should you have a single user configured for
multiple authentications on the same port.
Enabling RADIUS On the Switch
The switch needs to be informed about the authentication server. Use the following CLI input to:
• Configure the authentication server IP parameters on the switch.
• Enable the RADIUS server.
System(rw)->set radius server 1 10.20.10.01 1812 mysecret
System(rw)->set radius enable
Creating RADIUS User Accounts on the Authentication Server
RADIUS account creation on the authentication server is specific to the RADIUS application you
are using. Please see the documentation that comes with your RADIUS application. Create an
account for all users to be authenticated.
Configuring the Engineering Group 802.1x End-User Stations
There are three aspects to configuring 802.1x for the engineering group:
• Configure EAP on each end-user station.
• Set up an account in RADIUS on the authentication server for each end-user station.
• Configure 802.1x on the switch.
Configuring EAP on the end-user station and setting up the RADIUS account for each station is
dependent upon your operating system and the RADIUS application being used, respectively. The
important thing the network administrator should keep in mind is that these two configurations
should be in place before moving on to the 802.1x configuration on the switch.
To Next Page
Loading...
Need help?
General