Filter
Top Products
11-68
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
This is an example of configuring and verifying MACsec on an interface:
Switch(config)# interface GigabitEthernet1/0/25
Switch(config-if)# switchport acc
ess vlan 10
Switch(config-if)# switchport mod
e access
Switch(config-if)# macsec
Switch(config-if)# authentication
event linksec fail action authorize vlan 2
Switch(config-if)# authentication
host-mode multi-domain
Switch(config-if)# authentication
linksec policy must-secure
Switch(config-if)# authentication
port-control auto
Switch(config-if)# authentication
violation protect
Switch(config-if)# mka policy rep
lay-policy
Switch(config-if)# dot1x pae auth
enticator
Switch(config-if)# spanning-tree portfast
Switch(config-if)# end
Switch# s
how authentication sessions interface gigabitethernet1/0/25
Interface: GigabitEthernet1/0/25
MAC Address: 001b.2140.ec3c
IP Address: 1.1.1.103
User-Name: ms1
Status: Authz Success
Domain: DATA
Security Policy: Must Secure ß--- New
Security Status: Secured ß--- New
Oper host mode: multi-domain
Step 7
authentication host-mode
multi-domain
Configure authentication manager mode on the port to allow both a host
and a voice device to be authenticated on the 802.1x-authorized port. If
not configured, the default host mode is single.
Step 8
authentication linksec policy
must-secure
Set the LinkSec security policy to secure the session with MACsec if the
peer is available. If not set, the default is should secure.
Step 9
authentication port-control auto Enable 802.1x authentication on the port. The port changes to the
authorized or unauthorized state based on the authentication exchange
between the switch and the client
Step 10
authentication violation protect Configure the port to drop unexpected incoming MAC addresses when a
new device connects to a port or when a device connects to a port after the
maximum number of devices are connected to that port. If not configured,
the default is to shut down the port.
Step 11
mka policy policy name Apply an existing MKA protocol policy to the interface, and enable MKA
on the interface. If no MKA policy was configured (by entering the mka
policy global configuration command), you must apply the MKA default
policy to the interface by entering the mka default-policy interface
configuration command.
Step 12
dot1x pae authenticator Configure the port as an 802.1x port access entity (PAE) authenticator.
Step 13
spanning-tree portfast Enable spanning tree Port Fast on the interface in all its associated
VLANs. When Port Fast feature is enabled, the interface changes directly
from a blocking state to a forwarding state without making the
intermediate spanning-tree state changes.
Step 14
end Return to privileged EXEC mode.
Step 15
show authentication session interface
interface-id
Verify the authorized session security status.
Step 16
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose