Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Configuring Cisco Switches for 802.1X

Customer Support Note
Configuring 802.1X on Cisco IOS-based Switches
Test Unit:
Cisco Catalyst 3750/3550
May, 2011
In order to configure a Cisco switch to authenticate endpoints using 802.1X the
following steps outline what is necessary.
Configuring a VLAN
The following 4 lines are entered to begin
configure terminal
interface vlan <VLAN NAME>
ip address <IP address of the vlan> <subnet mask>
no shutdown
Adding a Switch Port Interface to a VLAN
To set a default VLAN on a switch port
configure terminal
interface <interface no> (e.g, int ga1/0/10)
switchport access vlan <VLAN ID or name of the VLAN > (ex: 151 or VLAN151)
Configuring a DHCP Pool
Setting up the DHCP Pool on the VLAN
configure terminal
ip dhcp pool < Pool name> (ex: ip dhcp pool 130)
network <IP Address > <subnet mask >(ex: network 192.168.131.0 255.255.255.0)
default-router <gateway ip> (ex: default-router 192.168.131.1)
domain-name <domain name> (ex: domain-name test.avendasys.com)
dns-server <dns server ip > (e.g dns-server 192.168.12.10)
Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda
Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.
Configuring a Trunk Port to Connect Access Points
This enables trunking on the switch port
configure terminal
interface <interface no> (ex: int ga1/0/10)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan <VLAN Ids> (ex: allowed vlan 1-192 or 1,150)
switchport mode trunk
switchport nonegotiate
Configuring 802.1X Authentication
Global mode configuration for enabling AAA
configure terminal
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 30
Execute these commands if available in Cisco IOS 12.2(33) and up:
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
Configuring the Switch to Point to a Specific RADIUS Server
Global mode configuration to enable RADIUS
configure terminal
ip radius source-interface Vlan <default VLAN ID where RADIUS server is connected>
radius-server attribute 8 include-in-access-req
radius-server host <radius server ip address> auth[port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server timeout 3
radius-server key <shared secret>
radius-server vsa send authentication MAC-AUTH-BY-PASS
Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda
Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.
Configuring 802.1X on a Switch Port
Enables a specified switch port
configure terminal
interface <interface no> (ex: int ga1/0/10)
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication <enable reauthentication>
dot1x timeout reauth-period server
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
dot1x guest-vlan 151< Guest VLAN)
spanning-tree portfast
Execute these commands if available in Cisco IOS 12.2(33) and up:
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
Configuring MAC-AUTH-BY-PASS on an 802.1X Interface
Enables MAC-AUTH-BY-PASS on a specified switch port
configure terminal
interface <interface no> (ex: int ga1/0/10)
dot1x mac-auth-bypass (by default PAP auth method will be used)
Note: If EAP-MD5 is required use the following command line
dot1x mac-auth-bypass eap
Execute this command if available in Cisco IOS 12.2(33) and up:
mab
Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda
Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.
Configuring Port Authentication Failover – New commands in Cisco IOS 12.2(33) and up
Interface configuration
configure terminal
interface <interface no> (ex: int ga1/0/10)
authentication order dot1x mab
authentication priority dot1x mab
Configuring RADIUS Accounting
Global mode configuration
configure terminal
aaa accounting dot1x default start-stop group radius
Deleting a VLAN
If you need to remove a VLAN after testing this configuration use the following
configure terminal
no interface vlan <VLAN NAME>
For Avenda Assistance
support@avendasys.com or 408 748 0902 x200
Avenda Systems
3255 Scott Blvd, B2, Suite 102
Santa Clara, CA 95054
Phone: 408.748.0902
Fax:
408.748.0906
www.avendasys.com
Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda
Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.
Related documents
Northampton Community College CISC271a – CCNA 3
Northampton Community College CISC271a – CCNA 3
CCNA3 Skills Exam 2
CCNA3 Skills Exam 2
Implement Switch Based Layer 3 Services, given a Network
Implement Switch Based Layer 3 Services, given a Network
London South Bank University Title: A Three Floor
London South Bank University Title: A Three Floor
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
Download