To enable 802.1x port-based authentication, AAA must be enabled and
an authentication method list must be specified. A method list describes the
sequence and authentication methods to be queried to authenticate a user.
The software uses the first method listed to authenticate users. If that
method fails to respond, the software selects the next authentication method in
the list. This process continues until there is successful communication with a
listed authentication method or until all defined methods are exhausted. If
authentication fails at any point in this cycle, the authentication process
stops, and no other authentication methods are attempted.
Beginning in
privileged EXEC mode, the following steps are used to configure 802.1x
port-based authentication. The associated commands are shown in Figure
.
Step 1
Enter global configuration mode.
Step
2
Enable AAA.
Step 3
Create an authentication method
list with the aaa authentication dot1x {default} method1
[method2...] command. To create a default list that is used
when a named list is not specified in the authentication command, use the
default keyword followed by the methods that are to be used
in default situations. The default method list is automatically applied to all
interfaces. At least one of the following keywords must be entered:
-
group radius – Use the list of all RADIUS servers for
authentication.
-
none – Use no authentication. The client is
automatically authenticated by the switch without using the information
supplied by the client.
Step 4 Enter interface configuration mode, and specify the interface
connected to the client that is to be enabled for 802.1x authentication.
Step 5 Enable 802.1x authentication on the interface.
The port
authorization state is controlled by using the dot1x
port-control interface configuration command and the following
keywords:
-
force-authorized – disables 802.1x and causes the port
to transition to the authorized state without any authentication exchange
required. The port transmits and receives normal traffic without 802.1x-based
authentication of the client. This is the default setting.
-
force-unauthorized – causes the port to remain in the
unauthorized state, ignoring all attempts by the client to authenticate. The
switch cannot provide authentication services to the client through the
interface.
-
auto – enables 802.1x authentication and causes the
port to begin in the unauthorized state, allowing only EAPOL frames to be sent
and received through the port. The authentication process begins when the link
state of the port transitions from down to up, or when an EAPOL-start frame is
received. The switch requests the identity of the client and begins relaying
authentication messages between the client and the authentication server. Each
client attempting to access the network is uniquely identified by the switch by
using the client's MAC address.
Step 6
Return to privileged EXEC mode.
Step
7
Verify the configuration.
To disable 802.1x AAA authentication, use the no aaa authentication
dot1x {default | list-name} method1
[method2...] global configuration command. To disable 802.1x
authentication, use the dot1x port-control force-authorized
or the no dot1x port-control interface configuration
command.
The example in Figure
shows
how to enable AAA and 802.1x on Fast Ethernet port 0/12.