Configuring 802.1X ··············································································································································· 321
802.1X overview ························································································································································· 321
802.1X architecture ············································································································································ 321
Access control methods ······································································································································ 321
Packet formats ······················································································································································ 322
EAP over RADIUS ················································································································································ 323
802.1X timers ······················································································································································ 328
Configuration prerequisites ········································································································································· 331
Configuring 802.1X globally ····································································································································· 332
Configuring 802.1X on a port ··································································································································· 333
Configuring an Auth-Fail VLAN ························································································································· 336
802.1X configuration examples ································································································································· 336
Configuring AAA ···················································································································································· 352
Overview ······································································································································································· 352
AAA application ·················································································································································· 352
Domain-based user management ······················································································································ 353
Configuration prerequisites ········································································································································· 353
Configuring an ISP domain ································································································································ 354
AAA configuration example ······································································································································· 359
Configuring RADIUS ··············································································································································· 363
Overview ······································································································································································· 363
Client/server model ············································································································································ 363
RADIUS packet format ········································································································································ 365
Extended RADIUS attributes ······························································································································· 367
Protocols and standards ····································································································································· 368
Configuring a RADIUS scheme ··································································································································· 368
Configuring common parameters ······················································································································ 369
Adding RADIUS servers ······································································································································ 373
RADIUS configuration example ·································································································································· 374
Configuration guidelines ············································································································································· 378
Configuring users ···················································································································································· 380
Configuring a local user ·············································································································································· 380
Configuring a user group ············································································································································ 382
Managing certificates ············································································································································· 384
Overview ······································································································································································· 384
PKI terms ······························································································································································· 384
PKI architecture ···················································································································································· 384
How PKI works ····················································································································································· 385
viii