Catalyst
switches can support port-based authentication, a combination of AAA
authentication and port-security. This feature is based on the IEEE 802.1X
standard. When it is enabled, a switch port will not pass any traffic until a
user has authenticated with the switch. It authentication is successfully, the
user can use the port normally.
For
port-based authentication both the switch and user’s PC must support the 082.1x
standard, using the Extensible authentication protocol over LANs (EAPOL).
The 802.1x
standard is a cooperative effort between
the client and the switch offering network service. If the client PC is
configured to use 802.1x but the switch does not support it, the PC abandons
the protocol and communicates normally. However, if the switch is configured
with 802.1x but the PC does not support it, the switch port remains in the
unauthorized state so that it will not forward any traffic to the client PC.
802.1x is
layer 2 protocol.
802.1x configuration
It can be
handled by one or more RADIUS servers. Most of catalyst switch support 802.1x.
Enable aaa
authentication :
Switch(config)#
aaa new-model
For external
radius server
Switch(config)#
radius-server host <hostname/ip address> <key-string>
Enable
802.1x on switch
Switch(config)#dot1x
system-auth-control
Define the
authentication method for 802.1x
Switch(config)#aaa
authentication dot1x default group radius
Configure
each Switchport that will use 802.1x
Switch(config-if)#dot1x
port-control <force-authorized/force-unauthorized/auto>
Allow
multiple host on a Switchport:
Switch(config-if)#dot1x
host-mode multi-mode
No comments:
Post a Comment