Table of Contents
Advertisement
Chapter 8
Configuring IEEE 802.1x Port-Based Authentication
This example shows how to enable a readiness check on a switch to query a port. It also shows the
response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/0/13
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL
capable
Configuring IEEE 802.1x Authentication
Command
Step 1
configure terminal
Step 2
errdisable detect cause
security-violation shutdown vlan
Step 3
errdisable recovery cause
security-violation
Step 4
clear errdisable interface interface-id
[vlan-list]
vlan
Step 5
shutdown
no-shutdown
Step 6
end
Step 7
show errdisable detect
Step 8
copy running-config startup-config
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the IEEE 802.1x AAA process:
Step 1
A user connects to a port on the switch.
Step 2
Authentication is performed.
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step 3
The switch sends a start message to an accounting server.
Step 4
Re-authentication is performed, as necessary.
Step 5
The switch sends an interim accounting update to the accounting server that is based on the result of
Step 6
re-authentication.
The user disconnects from the port.
Step 7
OL-8915-03
Purpose
Enter global configuration mode.
Shut down any VLAN on which a security violation error occurs.
Note
If the shutdown vlan keywords are not included, the entire port
enters the error-disabled state and shuts down.
(Optional) Enable automatic per-VLAN error recovery.
(Optional) Reenable individual VLANs that have been error disabled.
For interface-id specify the port on which to reenable individual
•
VLANs.
(Optional) For vlan-list specify a list of VLANs to be re-enabled. If
•
vlan-list is not specified, all VLANs are re-enabled.
(Optional) Re-enable an error-disabled VLAN, and clear all error-disable
indications.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Configuring IEEE 802.1x Authentication
8-25
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
