7.1.2 Basic IEEE802.1X Settings
This section describes how to configure the basic IEEE 802.1X authentication modes.
- <Structure of this section>
(1) Setting to enable IEEE802.1X
- Points to note
-
Enable IEEE 802.1X authentication in global configuration mode. You cannot execute other IEEE 802.1X-related commands unless you execute this command first.
Command examples
-
(config)# dot1x system-auth-control
Enables IEEE 802.1X.
(2) Configuring port-based authentication
This step designates a physical port or channel group as an authenticating port.
- Points to note
-
Configure a port as an access port, and then enables port-based authentication for the port. You then specify the authentication sub-mode. If you omit the authentication sub-mode setting, the port will operate in single-terminal mode.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# switchport mode access
Places port 1/0/1 in access mode.
-
(config-if)# dot1x multiple-authentication
Specifies terminal authentication mode as the authentication sub-mode.
-
(config-if)# dot1x port-control auto
Enables port-based authentication.
(3) Configuring VLAN Per-Auth (Static)
This step designates a port VLAN as an authenticating VLAN.
- Points to note
-
Set up a port VLAN, and then enable VLAN-based authentication (static) for that VLAN.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
Configures VLAN ID 10 as a port VLAN.
-
(config)# dot1x vlan 10 enable
Enables VLAN-based authentication (static) for VLAN ID 10.
(4) Configuring Per VLAN Authentication (Dynamic)
This step designates a MAC VLAN as an authenticating VLAN.
- Points to note
-
Configure a MAC VLAN, and then enable VLAN-based authentication (dynamic) for that VLAN.
Terminals that successfully undergo VLAN-based authentication (dynamic) obtain their VLAN membership via information sent by the RADIUS server.The aaa Authentication network default configuration command must be configured for this process to work.
Command examples
-
(config)# vlan 100 mac-based
(config-vlan)# name MACVLAN100
(config-vlan)# state active
(config-vlan)# exit
Configures VLAN ID 100 as a MAC VLAN.
-
(config)# dot1x vlan dynamic radius-vlan 100
Specifies VLAN ID 100 as subject to VLAN-based authentication (dynamic).
-
(config)# dot1x vlan dynamic enable
Enables VLAN-based authentication (dynamic).