Configuration Guide Vol. 2

7.1.2 Basic IEEE802.1X Settings

This section describes how to configure the basic IEEE 802.1X authentication modes.

<Structure of this section>

(1) Setting to enable IEEE802.1X

Points to note

Enable IEEE 802.1X authentication in global configuration mode. You cannot execute other IEEE 802.1X-related commands unless you execute this command first.

Command examples

  1. (config)# dot1x system-auth-control

    Enables IEEE 802.1X.

(2) Configuring port-based authentication

This step designates a physical port or channel group as an authenticating port.

Points to note

Configure a port as an access port, and then enables port-based authentication for the port. You then specify the authentication sub-mode. If you omit the authentication sub-mode setting, the port will operate in single-terminal mode.

Command examples

  1. (config)# interface gigabitethernet 1/0/1

    (config-if)# switchport mode access

    Places port 1/0/1 in access mode.

  2. (config-if)# dot1x multiple-authentication

    Specifies terminal authentication mode as the authentication sub-mode.

  3. (config-if)# dot1x port-control auto

    Enables port-based authentication.

(3) Configuring VLAN Per-Auth (Static)

This step designates a port VLAN as an authenticating VLAN.

Points to note

Set up a port VLAN, and then enable VLAN-based authentication (static) for that VLAN.

Command examples

  1. (config)# vlan 10

    (config-vlan)# state active

    (config-vlan)# exit

    Configures VLAN ID 10 as a port VLAN.

  2. (config)# dot1x vlan 10 enable

    Enables VLAN-based authentication (static) for VLAN ID 10.

(4) Configuring Per VLAN Authentication (Dynamic)

This step designates a MAC VLAN as an authenticating VLAN.

Points to note

Configure a MAC VLAN, and then enable VLAN-based authentication (dynamic) for that VLAN.

Terminals that successfully undergo VLAN-based authentication (dynamic) obtain their VLAN membership via information sent by the RADIUS server.The aaa Authentication network default configuration command must be configured for this process to work.

Command examples

  1. (config)# vlan 100 mac-based

    (config-vlan)# name MACVLAN100

    (config-vlan)# state active

    (config-vlan)# exit

    Configures VLAN ID 100 as a MAC VLAN.

  2. (config)# dot1x vlan dynamic radius-vlan 100

    Specifies VLAN ID 100 as subject to VLAN-based authentication (dynamic).

  3. (config)# dot1x vlan dynamic enable

    Enables VLAN-based authentication (dynamic).

[Product name label]

All Rights Reserved, Copyright(C), 2017, 2023, ALAXALA Networks, Corp.