Filter
Top Products
Configuring Port-Based Access Control (802.1X)
802.1X Open VLAN Mode
■ Ensure that the switch is connected to a RADIUS server configured
to support authentication requests from clients using ports config-
ured as 802.1X authenticators. (The RADIUS server should not be on
the Unauthorized-Client VLAN.)
Note that as an alternative, you can configure the switch to use local
password authentication instead of RADIUS authentication. However,
this is less desirable because it means that all clients use the same
passwords and have the same access privileges. Also, you must use 802.1X
supplicant software that supports the use of local switch passwords.
Caution Ensure that you do not introduce a security risk by allowing Unauthorized-
Client VLAN access to network services or resources that could be compro-
mised by an unauthorized client.
Configuring General 802.1X Operation: These steps enable 802.1X
authentication, and must be done before configuring 802.1X VLAN operation.
1. Enable 802.1X authentication on the individual ports you want to serve
as authenticators. (The switch automatically disables LACP on the ports
on which you enable 802.1X.) On the ports you will use as authenticators
with VLAN operation, ensure that the (default) port-control parameter is
set to auto. (Refer to
“1. Enable 802.1X Authentication on Selected Ports”
on page 8-15.) This setting requires a client to support 802.1X authenti-
cation (with 802.1X supplicant operation) and to provide valid creden-
tials to get network access.
Syntax: aaa port-access authenticator e < port-list > control auto
Activates 802.1X port-access on ports you have configured as
authenticators.
2. Configure the 802.1X authentication type. Options include:
Syntax: aaa authentication port-access < local | eap-radius | chap-radius >
Determines the type of RADIUS authentication to use.
local: Use the switch’s local username and password for
supplicant authentication (the default).
eap-radiusUse EAP-RADIUS authentication. (Refer to the
documentation for your RADIUS server.
chap-radiusUse CHAP-RADIUS (MD5) authentication.
(Refer to the documentation for your RADIUS server
software.)
8-28