9.1.2 Configuration of Fixed VLAN
- <Structure of this section>
(1) Basic settings for the local authentication method
The figure below describes the basic configuration required to use local authentication.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface gigabitethernet 1/0/11
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Specifies the port that connects to the L3 switch of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign an IP address to a VLAN used in Web authentication.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
Assigns an IP address to VLAN ID 10 used in Web authentication.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# permit udp any any eq domain
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets and access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.
(d) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(2) Basic settings for RADIUS authentication method
The following figure shows the basic configuration required to use RADIUS authentication.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface gigabitethernet 1/0/11
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Specifies the port that connects to the L3 switch of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign an IP address to a VLAN used in Web authentication.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
Assigns an IP address to VLAN ID 10 used in Web authentication.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# permit udp any any eq domain
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets and access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.
(d) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# aaa authentication web-authentication default group radius
(config)# radius-server host 10.0.0.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(3) Settings when using RADIUS authentication-method + internal DHCP servers
The following figure shows the basic configuration required to use RADIUS authentication with the DHCP server built in to the Switch.
|
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# web-authentication port
(config-if)# exit
Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
-
(config)# interface gigabitethernet 1/0/11
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Specifies the port that connects to the L3 switch of the network accessed after authentication.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign an IP address to a VLAN used in Web authentication.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
Assigns an IP address to VLAN ID 10 used in Web authentication.
(c) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps
(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp any any eq domain
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# authentication ip access-group 100
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server and to access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.
(d) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication ip address 10.10.10.1
Sets the Web authentication IP address (IPv4 address).
-
(config)# aaa authentication web-authentication default group radius
(config)# radius-server host 10.0.0.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.