Customer Support Note Configuring 802.1X on Cisco IOS-based Switches Test Unit: Cisco Catalyst 3750/3550 May, 2011 In order to configure a Cisco switch to authenticate endpoints using 802.1X the following steps outline what is necessary. Configuring a VLAN The following 4 lines are entered to begin configure terminal interface vlan <VLAN NAME> ip address <IP address of the vlan> <subnet mask> no shutdown Adding a Switch Port Interface to a VLAN To set a default VLAN on a switch port configure terminal interface <interface no> (e.g, int ga1/0/10) switchport access vlan <VLAN ID or name of the VLAN > (ex: 151 or VLAN151) Configuring a DHCP Pool Setting up the DHCP Pool on the VLAN configure terminal ip dhcp pool < Pool name> (ex: ip dhcp pool 130) network <IP Address > <subnet mask >(ex: network 192.168.131.0 255.255.255.0) default-router <gateway ip> (ex: default-router 192.168.131.1) domain-name <domain name> (ex: domain-name test.avendasys.com) dns-server <dns server ip > (e.g dns-server 192.168.12.10) Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners. Configuring a Trunk Port to Connect Access Points This enables trunking on the switch port configure terminal interface <interface no> (ex: int ga1/0/10) switchport trunk encapsulation dot1q switchport trunk allowed vlan <VLAN Ids> (ex: allowed vlan 1-192 or 1,150) switchport mode trunk switchport nonegotiate Configuring 802.1X Authentication Global mode configuration for enabling AAA configure terminal aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting update periodic 30 Execute these commands if available in Cisco IOS 12.2(33) and up: dot1x system-auth-control dot1x guest-vlan supplicant dot1x critical eapol Configuring the Switch to Point to a Specific RADIUS Server Global mode configuration to enable RADIUS configure terminal ip radius source-interface Vlan <default VLAN ID where RADIUS server is connected> radius-server attribute 8 include-in-access-req radius-server host <radius server ip address> auth[port 1812 acct-port 1813 radius-server source-ports 1645-1646 radius-server timeout 3 radius-server key <shared secret> radius-server vsa send authentication MAC-AUTH-BY-PASS Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners. Configuring 802.1X on a Switch Port Enables a specified switch port configure terminal interface <interface no> (ex: int ga1/0/10) switchport mode access dot1x pae authenticator dot1x port-control auto dot1x reauthentication <enable reauthentication> dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x guest-vlan 151< Guest VLAN) spanning-tree portfast Execute these commands if available in Cisco IOS 12.2(33) and up: authentication port-control auto authentication periodic authentication timer reauthenticate server Configuring MAC-AUTH-BY-PASS on an 802.1X Interface Enables MAC-AUTH-BY-PASS on a specified switch port configure terminal interface <interface no> (ex: int ga1/0/10) dot1x mac-auth-bypass (by default PAP auth method will be used) Note: If EAP-MD5 is required use the following command line dot1x mac-auth-bypass eap Execute this command if available in Cisco IOS 12.2(33) and up: mab Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners. Configuring Port Authentication Failover – New commands in Cisco IOS 12.2(33) and up Interface configuration configure terminal interface <interface no> (ex: int ga1/0/10) authentication order dot1x mab authentication priority dot1x mab Configuring RADIUS Accounting Global mode configuration configure terminal aaa accounting dot1x default start-stop group radius Deleting a VLAN If you need to remove a VLAN after testing this configuration use the following configure terminal no interface vlan <VLAN NAME> For Avenda Assistance support@avendasys.com or 408 748 0902 x200 Avenda Systems 3255 Scott Blvd, B2, Suite 102 Santa Clara, CA 95054 Phone: 408.748.0902 Fax: 408.748.0906 www.avendasys.com Copyright © 2010 Avenda Systems, Inc. All rights reserved worldwide. Avenda Systems, its product and program names and design marks are trademarks of Avenda Systems, Inc. All other trademarks mentioned in this document are the property of their respective owners.