11-8. 802.1X Port Authentication On most switches, ports are enabled by default and anyone who can plug into the port gains access to the network. Port security using MAC addresses can control which devices can access a network on a given port but must be reconfigured if a device is moved. 802.1X provides a standard method for authorizing ports using client certificates or usernames. 802.1X uses a RADIUS server to provide authorization of a port for use. Until an 802.1X port is authorized, it cannot be used to pass user traffic. In 802.1X, the switch acts as a proxy between the client and the server to pass authentication information.
Configuration To configure 802.1X port authentication, use the following steps. 1. | Enable 802.1X authentication globally: COS | set dot1x system-auth-control enable | IOS | N/A |
On a COS switch, you must first enable the 802.1X authentication process globally on the switch before you can configure the ports for authorization. | 2. | Specify the RADIUS server and key: COS | set radius server address set radius key string | IOS | (global) radius-server host address key string |
Because the 802.1X process relies on a RADIUS server, you must configure the switch with the address of the RADIUS server and the key used on the server. | 3. | Create an authentication, authorization, accounting (AAA) model: COS | N/A | IOS | (global) aaa new-model (global) aaa authentication dot1x default group radius |
For the IOS switch, you will enable 802.1X authentication by creating an AAA model using the commands listed. | 4. | Enable 802.1x on the port: COS | set port dot1x mod/port port-control auto | IOS | [View full width] (interface) dot1x port-control {auto | force-authorized | force-unauthorized} |
After completing the previous steps, you can configure a port for 802.1X authorization. When a port is configured for 802.1X authentication, it will not pass user traffic until a RADIUS server sends authorization for the port. |
Feature Example This example shows the configuration for Ethernet port 3/6 to provide 802.1X authentication for a client using the RADIUS server 10.1.1.1 with a key string of funhouse. An example of the Catalyst OS configuration follows: Catalyst (enable)>set dot1x system-auth-control enable Catalyst (enable)>set radius server 10.1.1.1 Catalyst (enable)>set radius key funhouse Catalyst (enable)>set port dot1x 3/6 port-control auto An example of the Supervisor IOS configuration follows: Switch(config)#radius-server host 10.1.1.1 key funhouse Switch(config)#aaa new-model Switch(config)#aaa authentication dot1x default group radius Switch(config)#interface fastethernet 3/6 Switch(config-if)#dot1x port-control auto Switch(config-if)#end Switch(config)#copy running-config startup-config |