Filter
Top Products
29-20
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication
How to Configure 802.1X
This example shows how to configure 802.1X accounting. The first command configures the RADIUS
server, specifying 1813 as the UDP port for accounting:
Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# aaa accounting system default start-stop group radius
Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and
interim-update messages and time stamps. To turn on these functions, enable logging of
“Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab.
Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
Configuring 802.1X with Guest VLANs
You can configure a guest VLAN for each 802.1X port on the Catalyst 4500 series switch to provide
limited services to clients, such as downloading the 802.1X client. These clients might be upgrading
their system for 802.1X authentication, and some hosts, such as Windows 98 systems, might not be
802.1X-capable.
When you enable a guest VLAN on an 802.1X port, the Catalyst 4500 series switch assigns clients to a
guest VLAN provided (1) the authentication server does not receive a response to its EAPOL request or
identity frame, or (2) the EAPOL packets are not sent by the client.
Prior to Cisco Release 12.2(25)EWA, the Catalyst 4500 series switch did not maintain the EAPOL
packet history and allowed clients that failed authentication access to the guest VLAN, regardless
whether EAPOL packets had been detected on the interface. You can enable this optional behavior with
the dot1x guest-vlan supplicant global configuration command.
Starting with Cisco Release 12.2(25)EWA, the Catalyst 4500 series switch maintains the EAPOL packet
history. If another EAPOL packet is detected on the interface during the lifetime of the link, network
access is denied. The EAPOL history is reset upon loss of the link.
Any number of 802.1X-incapable clients are allowed access when the switch port is moved to the guest
VLAN. If an 802.1X-capable client joins the same port on which the guest VLAN is configured, the port
is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.
Step 3
Switch(config)# clock timezone
PST -8
Sets the time zone for the accounting event-time stamp field.
Step 4
Switch(config)# clock
calendar-valid
Enables the date for the accounting event-time stamp field.
Step 5
Switch(config-if)# aaa accounting
system default start-stop group
radius
(Optional) Enables system accounting (using the list of all RADIUS
servers) and generates system accounting reload event messages when the
switch reloads.
Step 6
Switch(config-if)# end
Returns to privileged EXEC mode.
Step 7
Switch# show running-config
Verifies your entries.
Step 8
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose