Specifications

Authentication Configuration Example

April 15, 2011 Page 32 of 36

Configuring the Engineering Group 802.1x End-User Stations

Therearethreeaspectstoconfiguring802.1xfortheengineeringgroup:

• ConfigureEAPoneachend‐userstation.

•SetupanaccountinRADIUSontheauthenticationserverforeachend‐userstation.

• Configure802.1xontheswitch.

ConfiguringEAPontheend‐userstationandsettinguptheRADIUSaccountforeach

stationis

dependentuponyouroperatingsystemandtheRADIUSapplicationbeingused,respectively.The

importantthingthenetworkadministratorshouldkeepinmindisthatthesetwoconfigurations

shouldbeinplacebeforemovingontothe802.1xconfigurationontheswitch.Inan802.1x

configuration,policyisspecified

intheRADIUSaccountconfigurationontheauthentication

serverusingtheRADIUSFilter‐ID.See“TheRADIUSFilter‐ID”onpage 9forRADIUSFilter‐ID

information.IfaRADIUSFilter‐IDexistsfortheuseraccount,theRADIUSprotocolreturnsitin

theRADIUSAcceptmessageandthefirmwareapplies

thepolicytotheuser.

ThefollowingCLIinput:

•EnablesEAPonthestackablefixedswitch

C3(rw)->set eapol enable

•Enables802.1xontheswitch

•Setsport‐controltoforced‐authforallconnectionsbetweenswitchesandrouters,because

theydonotuseauthenticationandwouldbeblockedifnotsettoforced‐auth.

System(rw)->set dot1x enable

System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth ge.1.5

System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth

ge.1.19

System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth

ge.2.24

Thiscompletesthe802.1xend‐userstationsconfiguration.

Configuring the Engineering Group Siemens CEP Devices

IfaSiemensphoneisinsertedintoaportenabledforSiemensCEP,thefirmwaredetects

communicationonUDP/TCPport4060.UsepolicymanagertoconfigureapolicywithaVLAN,

CoS,andratelimitappropriatetoVoIP .SeetheQoSFeatureGuideConfigurationExamplesection

at:https://extranet.enterasys.com/downloadsforaQoS

VoIPpolicyconfigurationexample.Once

anexistingpolicyisconfigured,thesetceppolicycommandcanbeusedtoapplythepolicy.

Note: Globally enabling 802.1x on a switch sets the port-control type to auto for all ports. Be sure to

set port-control to forced-auth on all ports that will not be authenticating using 802.1x and no other

authentication method is configured. Otherwise these ports will fail authentication and traffic will be

blocked.

Note: CEP is supported on the modular switch platforms. Stackable fixed switch platforms

authenticate IP phone devices using either 802.1x or MAC authentication. 802.1x is used in this

stackable fixed switch authentication example for the IP phone implementation.