Configuration Guide Vol. 2

12.2.2 Setting Fixed VLAN Mode

The following figure shows a sample configuration for multi-step authentication in fixed VLAN mode.

Figure 12-2: Configuration example for multi-step authentication in fixed VLAN mode

[Figure Data]

In this case, PC and the printer connect to the same basic multi-step authentication port, PC performs multi-step authentication (MAC authentication and IEEE802.1X authentication), and the printer performs single authentication (MAC authentication). IP of PC and printers is obtained from DHCP servers.

Points to note

In this example, the following items are set for the port subject to authentication:

  • Configuring VLANs

  • Configure the 802.1x Authentication Method

  • Configuring Access Ports and VLAN

  • Setting for terminal authentication (MAC authentication)

  • Configuring User Authentication (IEEE802.1X Authentication)

  • Configuring Multi-Step Authentication Ports

  • Setting the authentication IPv4 access list

For the settings required for IEEE802.1X authentication, see "7 IEEE802.1X Settings and Operation." For the settings required for MAC authentication, see "11 MAC Authentication Settings and Operation."

Command examples

  1. (config)# vlan 20

    (config-vlan)# exit

    Set VLAN 20 to communicate before and after authenticating.

  2. (config)# aaa authentication dot1x default group radius

    (config)# aaa authentication mac-authentication default group radius

    Set the authentication method for IEEE802.1X authentication and MAC authentication to RADIUS authentication.

  3. (config)# interface gigabitethernet 1/0/1

    (config-if)# switchport mode access

    (config-if)# switchport access vlan 20

    Sets port 1/0/1 as the access port. It also configures VLAN 20 for the access port.

  4. (config-if)# mac-authentication port

    (config-if)# dot1x port-control auto

    (config-if)# dot1x multiple-authentication

    (config-if)# dot1x supplicant-detection auto

    (config-if)# authentication multi-step

    Sets MAC-based authentication, IEEE802.1X authentication, and multi-step authentication (without user authentication option) for port 1/0/1.

  5. (config-if)# authentication ip access-group L2-AUTH

    (config-if)# authentication arp-relay

    (config-if)# exit

    Sets the authentication-only IPv4 access list for frames from pre-authentication PC and printers on port 1/0/1. Also, set ARP frame forwarding from the unauthenticated terminal.

  6. (config)# ip access-list extended L2-AUTH

    (config-ext-nacl)# permit udp any any eq bootps

    (config-ext-nacl)# exit

    To obtain DHCP address from IP server prior to authentication, configure an authentication-only PC that allows forwarding of DHCP frames (bootps) from the printer before authentication and an authentication-only IPv4 access list.

[Product name label]

All Rights Reserved, Copyright(C), 2022, 2023, ALAXALA Networks, Corp.