Table of Contents
Advertisement
Chapter 40
Configuring 802.1X Authentication
Configuring the Authenticated Identity-to-Port Description Mappings
You can use authenticated identity-to-port description mapping to assign a port name to the 802.1X port
based on the information that is received from the RADIUS server. This feature uses an AV-pair
"Supplicant Name" to uniquely assign a port name for an authenticated user. Currently, there is support
only for the Cisco-supported AV-pairs that are sent from the authentication server; the other
vendor-specific AV-pairs are ignored.
Enter the show port dot1x name-mapping command to display the name of the port that is received
from the RADIUS server. If the switch receives an authenticated port name that is greater than or equal
to 20 characters, the name is truncated to 19 characters and a # sign is appended to the name (allowing
a total of 20 characters that is compatible with the set port name command). When you enter the set
port name command, the end result is the same as if you had used the authenticated identity-to-port
description mapping; the difference is that this feature assigns the name dynamically upon 802.1X
authentication. An example of a dynamically assigned port name is as follows:
Console> (enable) show port dot1x name-mapping 5/1
Port Port Name
---- ------------------
5/1
Configuring the DNS Resolution for a RADIUS Server Configuration
When you configure the DNS resolution for a RADIUS server, you can configure the RADIUS server
using a DNS name in addition to the IP addresses. The switch automatically resolves the DNS name
using a DNS server that is configured to associate a DNS name with an IP address. The configured DNS
name can coexist with the other IP addresses that are configured as primary or secondary. The DNS name
is stored in NVRAM. You must enable the RADIUS keepalive feature for the DNS resolution to work.
DNS resolution allows you to modify the IP address of the RADIUS server transparently without the
knowledge of the switch. The switch can then resolve the DNS name with the modified IP address.
The switch resolves the DNS name a second time (reresolution) to the IP address during the initial
configuration of the DNS name, when 802.1X is disabled and enabled, during the 802.1X port
authentication, or if the request to the RADIUS server times out. The reresolution checks if the DNS
name-to-IP address mapping is changed on the DNS server side.
Enter the show config or show radius commands to display the DNS name if the DNS name is
configured in place of an IP address for the RADIUS server. You can configure a maximum of three
RADIUS servers. To display the configured RADIUS server parameters, enter the show radius
command as follows:
Console> (enable) show radius
RADIUS Deadtime:
RADIUS Key:
RADIUS Retransmit:
RADIUS Timeout:
Framed-Ip Address Transmit:
RADIUS-Server
-------------------------------- ------- --------- --------- -------------------
9.9.150.16
cat6k-sup2
cat6k-sup3
Console> (enable)
OL-8978-04
Cube-C1/2
802.1X Port Name
------------------
User1
0 minutes
cisco
2
5 seconds
Disabled
Status
Auth-port Acct-port Resolved IP Address
primary 1812
1813
1812
1813
1812
1813
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring 802.1X Authentication on the Switch
9.9.150.20
9.9.150.21
40-37
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
