Table of Contents
Advertisement
Chapter 31
Configuring 802.1x Authentication
•
•
In order for the 802.1x VLAN assignment using a RADIUS server to successfully complete, the
RADIUS server must return the following three RFC 2868 attributes back to the authenticator (the Cisco
switch to which the host attaches):
•
•
•
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802"
(type 6). Attribute [81] specifies the VLAN name in which the successfully authenticated 802.1x host
should be put.
Note
You must specify the VLAN by its name and not by its number.
Using 802.1x Authentication with Port Security
802.1x authentication is compatible with the port security feature. (See Chapter 16,
Security"
addresses.) If you enable port security for only one MAC address on a specific port, the RADIUS server
authenticates only that MAC address. Users that are connected through all other MAC addresses are
denied access. If you enable port security for multiple MAC addresses, the 802.1x RADIUS server
authenticates each address.
To configure authentication for multiple hosts using port security, make sure that the 802.1x
multiple-host keyword is enabled first. For information on configuring multiple host authentication, see
the
Note
When 802.1x authentication and port security are enabled on any 802.1x port, the 802.1x authentication
takes precedence over the port security on the port. The host is authenticated first and then is secured by
port security.
You can enable port security for any 802.1x mode (single-authentication, multiple-host, or
multiple-authentication modes). Only one mode can be enabled on a port at a time. The default port mode
is single-authentication mode.
You can disable port security for single-authentication and multiple-host modes. You cannot disable port
security for multiple-authentication mode.
Note
You cannot disable port security if the 802.1x multiple-authentication keyword is also enabled on that
port.
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
78-15908-01
If you clear an 802.1x-configured module's configuration, all the 802.1x ports are moved to the
NVRAM-configured VLAN and all the EARL entries for the 802.1x ports are cleared.
If you move an 802.1x port from an authorized to an unauthorized state, the server moves the port
to the NVRAM-configured VLAN.
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = VLAN NAME
for information on configuring ports to allow or restrict traffic that is based on host MAC
"Enabling Multiple Hosts" section on page
Understanding How 802.1x Authentication Works
31-13.
"Configuring Port
31-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
