Catalyst switches can support port-based authentication, a combination of AAA authentication and port-security. This feature is based on the IEEE 802.1X standard. When it is enabled, a switch port will not pass any traffic until a user has authenticated with the switch. It authentication is successfully, the user can use the port normally.
For port-based authentication both the switch and user’s PC must support the 082.1x standard, using the Extensible authentication protocol over LANs (EAPOL).
The 802.1x standard is a cooperative effort between the client and the switch offering network service. If the client PC is configured to use 802.1x but the switch does not support it, the PC abandons the protocol and communicates normally. However, if the switch is configured with 802.1x but the PC does not support it, the switch port remains in the unauthorized state so that it will not forward any traffic to the client PC.
802.1x is layer 2 protocol.
It can be handled by one or more RADIUS servers. Most of catalyst switch support 802.1x.
Enable aaa authentication :
Switch(config)# aaa new-model
For external radius server
Switch(config)# radius-server host <hostname/ip address> <key-string>
Enable 802.1x on switch
Define the authentication method for 802.1x
Switch(config)#aaa authentication dot1x default group radius
Configure each Switchport that will use 802.1x
Switch(config-if)#dot1x port-control <force-authorized/force-unauthorized/auto>
Allow multiple host on a Switchport:
Switch(config-if)#dot1x host-mode multi-mode