Specifications

ManualsBrandsCisco ManualsComputer equipment2970 - Catalyst Switch

201

202

203

204

205

206

207

208

209

210

8-13

Catalyst 2970 Switch Software Configuration Guide

78-15462-03

Chapter 8 Configuring 802.1X Port-Based Authentication

Configuring 802.1X Authentication

To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA

authentication, use the no aaa authentication dot1x {default | list-name} global configuration

command. To disable 802.1X AAA authorization, use the no aaa authorization global configuration

command. To disable 802.1X authentication on the switch, use the no dot1x system-auth-control global

configuration command.

This example shows how to enable AAA and 802.1X on Gigabit Ethernet port 0/1:

Switch# configure terminal

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control

Switch(config)# interface gigabitethernet0/1

Switch(config)# switchport mode access

Switch(config-if)# dot1x port-control auto

Switch(config-if)# end

Configuring the Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their host name or IP address, host name and specific UDP

port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP

port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP

ports on a server at the same IP address. If two different host entries on the same RADIUS server are

configured for the same service—for example, authentication—the second host entry configured acts as

the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were

configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on

the switch. This procedure is required.

Step 5

aaa authorization network {default}

group radius

(Optional) Configure the switch for user RADIUS authorization for all

network-related service requests, such as per-user ACLs or VLAN

assignment.

Note For per-user ACLs, single-host mode must be configured. This

setting is the default.

Step 6

interface interface-id Enter interface configuration mode, and specify the interface connected to

the client that is to be enabled for 802.1X authentication.

Step 7

dot1x port-control auto Enable 802.1X authentication on the interface.

For feature interaction information, see the “802.1X Configuration

Guidelines” section on page 8-11.

Step 8

end Return to privileged EXEC mode.

Step 9

show dot1x Verify your entries.

Step 10

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose