Upgrading From A Previous Software Release; Configuring Ieee 802.1X Authentication - Cisco 3750G - Catalyst Integrated Wireless LAN Controller Configuration Manual

Configuring IEEE 802.1x Authentication

•

Upgrading from a Previous Software Release

In Cisco IOS Release 12.1(14)EA1, the implementation for IEEE 802.1x authentication changed from
the previous release. Some global configuration commands became interface configuration commands,
and new commands were added.
If you have IEEE 802.1x authentication configured on the switch and you upgrade to Cisco IOS Release
12.1(14)EA1 or later, the configuration file will not contain the new commands, and IEEE 802.1x
authentication will not operate. After the upgrade is complete, make sure to globally enable IEEE 802.1x
authentication by using the dot1x system-auth-control global configuration command. If IEEE 802.1x
authentication was running in multiple-hosts mode on a port in the previous release, make sure to
reconfigure it by using the dot1x host-mode multi-host interface configuration command.
In Cisco IOS Release 12.2(25)SEE, the implementation for IEEE 802.1x authentication changed from
the previous releases. When IEEE 802.1x authentication is enabled, information about Port Fast is no
longer added to the configuration and this information appears in the running configuration:
dot1x pae authenticator
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and
accounting (AAA) and specify the authentication method list. A method list describes the sequence and
authentication method to be queried to authenticate a user.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the
switch for all network-related service requests.
This is the IEEE 802.1x AAA process:
A user connects to a port on the switch.
Step 1
Authentication is performed.
Step 2
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
Step 3
The switch sends a start message to an accounting server.
Step 4
Step 5 Re-authentication is performed, as necessary.
Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of
re-authentication.
Step 7 The user disconnects from the port.
The switch sends a stop message to the accounting server.
Step 8
Catalyst 3750 Switch Software Configuration Guide
10-26
In Cisco IOS Release 12.2(35)SE and later, you can configure a timeout period for hosts that are
connected by MAC authentication bypass but are inactive. The range is 1-65535 seconds. You must
enable port security before configuring a time out value. For more information, see the
Port Security" section on page
Chapter 10
25-8.
Configuring IEEE 802.1x Port-Based Authentication
"Configuring
OL-8550-02