Configuring 802.1X ··············································································································································· 321

802.1X overview ························································································································································· 321

802.1X architecture ············································································································································ 321

Access control methods ······································································································································ 321

Controlled/uncontrolled port and port authorization status ··········································································· 322

Packet formats ······················································································································································ 322

EAP over RADIUS ················································································································································ 323

Initiating 802.1X authentication ························································································································ 324

802.1X authentication procedures ···················································································································· 325

802.1X timers ······················································································································································ 328

Using 802.1X authentication with other features ···························································································· 329

Configuration prerequisites ········································································································································· 331

Recommended configuration procedure···················································································································· 332

Configuring 802.1X globally ····································································································································· 332

Configuring 802.1X on a port ··································································································································· 333

Configuring an 802.1X guest VLAN ················································································································· 335

Configuring an Auth-Fail VLAN ························································································································· 336

802.1X configuration examples ································································································································· 336

MAC-based 802.1X configuration example ···································································································· 336

802.X with ACL assignment configuration example ······················································································· 343

Configuring AAA ···················································································································································· 352

Overview ······································································································································································· 352

AAA application ·················································································································································· 352

Domain-based user management ······················································································································ 353

Recommended configuration procedure ··········································································································· 353

Configuring an ISP domain ································································································································ 354

Configuring authentication methods for the ISP domain ················································································· 355

Configuring authorization methods for the ISP domain ·················································································· 356

Configuring accounting methods for the ISP domain ······················································································ 357

AAA configuration example ······································································································································· 359

Configuring RADIUS ··············································································································································· 363

Client/server model ············································································································································ 363

Security and authentication mechanisms ·········································································································· 364

Basic RADIUS message exchange process ······································································································ 364

RADIUS packet format ········································································································································ 365

Extended RADIUS attributes ······························································································································· 367

Protocols and standards ····································································································································· 368

Configuring a RADIUS scheme ··································································································································· 368

Configuring common parameters ······················································································································ 369

Adding RADIUS servers ······································································································································ 373

RADIUS configuration example ·································································································································· 374

Configuration guidelines ············································································································································· 378

Configuring users ···················································································································································· 380

Configuring a local user ·············································································································································· 380

Configuring a user group ············································································································································ 382

Managing certificates ············································································································································· 384

PKI terms ······························································································································································· 384

PKI architecture ···················································································································································· 384

How PKI works ····················································································································································· 385

viii

Table of Contents