OcNOS-DC : Layer 2 Guide : Layer 2 Configuration Guide : 802.1X Configuration
802.1X Configuration
IEEE 802.1x restricts unauthenticated devices from connecting to a switch. Only after authentication is successful, traffic is allowed through the switch.
Topology
In this example, a radius server keeps the client information, validating the identity of the client and updating the switch about the authentication status of the client. The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, enable authentication on ports eth1 and eth2 and specify the radius server IP address and port.
802.1x Topology
 
Configuration
Switch
Switch#configure terminal
Enter configure mode.
Switch(config)#port-security disable
Disable the port-security.
Switch(config)#dot1x system-auth-ctrl
Enable authentication globally.
Switch(config)#interface eth2
Enter interface mode.
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#dot1x port-control auto
Enable authentication (via Radius) on port (eth2).
Switch(config-if)#exit
Exit interface mode.
Switch(config)#interface eth1
Enter interface mode.
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#dot1x port-control auto
Enable authentication (via Radius) on port (eth1).
Switch(config-if)#exit
Exit interface mode.
Switch(config)# radius-server dot1x keystring testing123
Specify the key with string name between radius server and client
Switch(config)#radius-server dot1x host 192.126.12.1
Specify the radius server address.
Switch(config-if)#commit
Commit the transaction.
Switch(config-if)#exit
Exit interface mode.
Switch(config)#interface eth3
Enter interface mode.
Switch(config-if)#ip address 192.126.12.2/24
Set the IP address on interface eth3.
Switch(config-if)#commit
Commit the transaction.
Switch(config-if)#exit
Exit interface mode.
Validation
#show dot1x all
802.1X Port-Based Authentication Enabled RADIUS server address: 192.168.1.1:60000 Next radius message id: 147
 
 
© 2021 IP Infusion Inc. Proprietary 1087
802.1X Configuration
RADIUS client address: not configured 802.1X info for interface eth1
portEnabled: true - portControl: Auto portStatus: Unauthorized - currentId: 29 protocol version: 2
reAuthenticate: disabled reAuthPeriod: 3600
abort:F fail:F start:F timeout:F success:F PAE: state: Connecting - portMode: Auto PAE: reAuthCount: 1 - rxRespId: 0
PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30 BE: state: Idle - reqCount: 0 - idFromServer: 0 BE: suppTimeout: 30 - serverTimeout: 30
CD: adminControlledDirections: in - operControlledDirections: in CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
 
802.1X info for interface eth2 portEnabled: true - portControl: Auto portStatus: Unauthorized - currentId: 29 protocol version: 2
reAuthenticate: disabled reAuthPeriod: 3600
abort:F fail:F start:F timeout:F success:F PAE: state: Connecting - portMode: Auto PAE: reAuthCount: 1 - rxRespId: 0
PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30 BE: state: Idle - reqCount: 0 - idFromServer: 0 BE: suppTimeout: 30 - serverTimeout: 30
CD: adminControlledDirections: in - operControlledDirections: in CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
#show dot1x
802.1X Port-Based Authentication Enabled RADIUS server address: 192.168.1.1:60000 Next radius message id: 147
RADIUS client address: not configured