Cisco Catalyst 3850 Manual page 80

Securing Access Using 802.1x on a wired LAN
Set the timers on the appropriate interfaces.
Step 3
These timers and variables control IEEE 802.1x authenticator operations when end devices stop
functioning during authentication.
Begin in interface configuration mode.
dot1x timeout supp-timeout
dot1x max-req
Reference
For detailed information about the IEEE 802.1x timers and variables, see the
Guide.
Enable MAC authentication bypass (MAB) from interface configuration mode to authenticate
Step 4
supplicants that do not support IEEE 802.1x authentication.
When MAB is enabled, the switch uses the MAC address of the device as its identity. The authentication
has a database of MAC addresses that are allowed network access.
We recommend that you enable MAB to support non-802.1x-compliant devices. MAB also is an
alternate authentication method when end devices fail IEEE 802.1x authentication due to restricted ACL
access.
Begin in interface configuration mode.
mab
Configure IEEE 802.1x on the appropriate interfaces.
Step 5
When you configure an IEEE 802.1x parameter on a port, a dot1x authenticator is automatically created
on the port. When that occurs, the dot1x pae authenticator command must also be configured to ensure
that the dot1x authentication will work on legacy configurations.
Begin in interface configuration mode:
authentication port-control auto
dot1x pae authenticator
Step 6 Enable access control and IEEE 802.1x authentications.
Begin in global configuration mode.
Enable new access control
!
!
aaa new-model
!
!Set authentication list for 802.1x
!
aaa authentication dot1x default group radius
!
!Enable 802.1x authentication
!
dot1x system-auth-control
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
70
30
2
Access Control on the Wired Network
Wired 802.1x Deployment