Support User Manuals

Cisco Systems 3560-X Switch User Manual

Open as PDF

of 1438

11-61

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

This example shows how to configure a switch as a supplicant:

Switch# configure terminal

Switch(config)# cisp enable

Switch(config)# dot1x credentials

test

Switch(config)# username suppswitc

h

Switch(config)#

password myswitch

Switch(config)# dot1x supplicant force-multicast

Switch(config)# interface gigabite

thernet1/0/1

Switch(config-if)# sw

itchport trunk encapsulation dot1q

Switch(config-if)# switchport mode

trunk

Switch(config-if)# do

t1x pae supplicant

Switch(config-if)# do

t1x credentials test

Switch(config-if)# en

d

Configuring NEAT with ASP

You can also use an AutoSmart Ports user-defined macro instead of the switch VSA to configure the

authenticator switch. For more information, see the Chapter 14, “Configuring Auto Smartports Mac-

ros.”

Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs

In addition to configuring 802.1x authentication on the switch, you need to configure the ACS. For more

information, see the Cisco Secure ACS configuration guides.

Note You must configure a downloadable ACL on the ACS before downloading it to the switch.

After authentication on the port, you can use the sho

w ip access-list privileged EXEC command to

display the downloaded ACLs on the port.

Configuring Downloadable ACLs

The policies take effect after client authentication and the client IP address addition to the IP device

tracking table. The switch then applies the downloadable ACL to the port.

Beginning in privileged EXEC mode:

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

ip device tracking Configure the ip device tracking table.

Step 3

aaa new-model Enables AAA.

Step 4

aaa authorization network default group

radius

Sets the authorization method to local. To remove the

authorization method, use the no aaa authorization network

default group radius command.

Step 5

radius-server vsa send authentication Configure the radius vsa send authentication.

Step 6

interface interface-id Specify the port to be configured, and enter interface

configuration mode.

previous next