9.1.2 Configuration of Fixed VLAN

<Structure of this section>

(1) Basic settings for the local authentication method

The figure below describes the basic configuration required to use local authentication.

Figure 9-1: Basic configuration of the local authentication method in fixed VLAN mode

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# vlan 10

(config-vlan)# state active

(config-vlan)# exit
(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# web-authentication port

(config-if)# exit

Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
(config)# interface gigabitethernet 1/0/11

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# exit

Specifies the port that connects to the L3 switch of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note: Assign an IP address to a VLAN used in Web authentication.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

Assigns an IP address to VLAN ID 10 used in Web authentication.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note: Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp any any eq bootps

(config-ext-nacl)# permit udp any any eq domain

(config-ext-nacl)# exit

(config)# interface gigabitethernet 1/0/4

(config-if)# authentication ip access-group 100

(config-if)# authentication arp-relay

(config-if)# exit

Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets and access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.

(d) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication ip address 10.10.10.1

Sets the Web authentication IP address (IPv4 address).
(config)# web-authentication system-auth-control

Starts Web authentication.

(2) Basic settings for RADIUS authentication method

The following figure shows the basic configuration required to use RADIUS authentication.

Figure 9-2: Basic configuration of RADIUS authentication-method in fixed VLAN

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# vlan 10

(config-vlan)# state active

(config-vlan)# exit
(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# web-authentication port

(config-if)# exit

Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
(config)# interface gigabitethernet 1/0/11

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# exit

Specifies the port that connects to the L3 switch of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note: Assign an IP address to a VLAN used in Web authentication.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

Assigns an IP address to VLAN ID 10 used in Web authentication.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note: Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp any any eq bootps

(config-ext-nacl)# permit udp any any eq domain

(config-ext-nacl)# exit

(config)# interface gigabitethernet 1/0/4

(config-if)# authentication ip access-group 100

(config-if)# authentication arp-relay

(config-if)# exit

Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets and access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.

(d) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication ip address 10.10.10.1

Sets the Web authentication IP address (IPv4 address).
(config)# aaa authentication web-authentication default group radius

(config)# radius-server host 10.0.0.200 key "webauth"

Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.

(3) Settings when using RADIUS authentication-method + internal DHCP servers

The following figure shows the basic configuration required to use RADIUS authentication with the DHCP server built in to the Switch.

Figure 9-3: Basic configuration of RADIUS authentication-method and the built-in DHCP servers for fixed VLAN

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# web-authentication port

(config-if)# exit

Assigns a VLAN ID and configures Web authentication at a port where terminals will be authenticated.
(config)# interface gigabitethernet 1/0/11

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# exit

Specifies the port that connects to the L3 switch of the network accessed after authentication.

(b) IP addressing for VLAN interfaces

Points to note: Assign an IP address to a VLAN used in Web authentication.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

Assigns an IP address to VLAN ID 10 used in Web authentication.

(c) Configuring Authentication-Only IPv4 Access Lists

Points to note: Configure an authentication IPv4 access list that allows traffic from unauthenticated terminals to reach destinations outside the Switch.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp host 0.0.0.0 host 192.168.10.254 eq bootps

(config-ext-nacl)# permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

(config-ext-nacl)# permit udp any any eq domain

(config-ext-nacl)# exit

(config)# interface gigabitethernet 1/0/4

(config-if)# authentication ip access-group 100

(config-if)# authentication arp-relay

(config-if)# exit

Configures an authentication IPv4 access list that allows unauthenticated terminals to send DHCP packets to the internal DHCP server and to access the DNS server. These commands also configure the Switch to forward ARP packets to external destinations.

(d) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication ip address 10.10.10.1

Sets the Web authentication IP address (IPv4 address).
(config)# aaa authentication web-authentication default group radius

(config)# radius-server host 10.0.0.200 key "webauth"

Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.