Specifications
CHAPTER 7
Campus Network Security
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Port-Based Authentication
802.1x authentication requires a computer (called a client) to be authenticated before it is allowed access to the LAN.
This can be combined with port security to enable only authenticated clients with specified MAC addresses to access a
port. When a computer connects to a switch port configured for 802.1x authentication, it follows these steps:
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests authentication or the client sends an EAPOL frame
to begin authentication.
Step 3. The switch relays authentication information between the client and a RADIUS server that acts in proxy for
the client.
Step 4. If authentication succeeds, the port transitions to the authorized state, and normal LAN traffic is allowed
through it.
Table 7-2 shows commands to configure 802.1x authentication on a switch.
Table 7-2 Configuring 802.1x Port Authentication
Command Description
(config)#aaa new-model Enables AAA on the switch
(config)#aaa authentication Creates a AAA method list that says to use 802.1x authentication by default, using
dot1x default group radius a RADIUS server (configured separately)
(config)#dot1x system-auth-control Globally enables 802.1x authentication on the switch
[ 82 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
CCNP SWITCH 642-813 Quick Reference by Denise Donohue