Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
•
Beginning in privileged EXEC mode, follow these steps to enable the IEEE 802.1x readiness check on
the switch:
Command
Step 1
dot1x test eapol-capable [interface
interface-id]
Step 1
configure terminal
Step 2
dot1x test timeout timeout
Step 3
end
Step 4
show running-config
This example shows how to enable a readiness check on a switch to query a port. It also shows the
response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/2
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/2 is EAPOL
capable
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow VLAN assignment, you must enable AAA authorization to configure the switch for all
network-related service requests.
This is the IEEE 802.1x AAA process:
Step 1
A user connects to a port on the switch.
Step 2
Authentication is performed.
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step 3
The switch sends a start message to an accounting server.
Step 4
Re-authentication is performed, as necessary.
Step 5
The switch sends an interim accounting update to the accounting server that is based on the result of
Step 6
re-authentication.
The user disconnects from the port.
Step 7
OL-13018-01
The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is
connected to an IP phone). A syslog message is generated for each of the clients that respond to the
readiness check within the timer period.
Purpose
Enable the 802.1x readiness check on the switch.
(Optional) For interface-id specify the port on which to check for
IEEE 802.1x readiness.
Note
(Optional) Enter global configuration mode.
(Optional) Configure the timeout used to wait for EAPOL response. The
range is from 1 to 65535 seconds. The default is 10 seconds.
(Optional) Return to privileged EXEC mode.
(Optional) Verify your modified timeout values.
If you omit the optional interface keyword, all interfaces on the
switch are tested.
Cisco IE 3000 Switch Software Configuration Guide
Configuring IEEE 802.1x Authentication
10-23