OcNOS-RON : Layer 2 Guide : Layer 2 Configuration Guide : 802.1X Configuration
802.1X Configuration
IEEE 802.1x restricts unauthenticated devices from connecting to a switch. Only after authentication is successful, traffic is allowed through the switch.
Topology
In this example, a radius server keeps the client information, validating the identity of the client and updating the switch about the authentication status of the client. The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, enable authentication on ports eth1 and eth2 and specify the radius server IP address and port.
802.1x Topology
Switch Configuration
 
Switch#configure terminal
Enter configure mode.
Switch(config)#port-security disable
Disable the port-security.
Switch(config)#dot1x system-auth-ctrl
Enable authentication globally.
Switch(config)#interface eth2
Enter interface mode.
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#dot1x port-control auto
Enable authentication (via Radius) on port (eth2).
Switch(config-if)#exit
Exit interface mode.
Switch(config)#interface eth1
Enter interface mode.
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#dot1x port-control auto
Enable authentication (via Radius) on port (eth1).
Switch(config-if)#exit
Exit interface mode.
Switch(config)#radius-server dot1x key-string testing123
Specify key with string name between radius server and client
Switch(config)#radius-server dot1x host 192.126.12.1
Specify the Radius Server address (192.126.12.1)
Switch(config-radius-server)#exit
Exit from radius server mode.
Switch(config)#interface eth3
Enter interface mode.
Switch(config-if)#ip address 192.126.12.2/24
Set the IP address on interface eth3.
Switch(config-if)#commit
Commit the transaction.
Switch(config-if)#exit
Exit interface mode.
Validation
#show dot1x all
802.1X Port-Based Authentication Enabled
RADIUS server address: 192.168.1.1:60000
Next radius message id: 147
RADIUS client address: not configured
 
802.1X info for interface eth1
portEnabled: true - portControl: Auto
portStatus: Unauthorized - currentId: 29
protocol version: 2
reAuthenticate: disabled
reAuthPeriod: 3600
abort:F fail:F start:F timeout:F success:F
PAE: state: Connecting - portMode: Auto
PAE: reAuthCount: 1 - rxRespId: 0
PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
BE: state: Idle - reqCount: 0 - idFromServer: 0
BE: suppTimeout: 30 - serverTimeout: 30
CD: adminControlledDirections: in - operControlledDirections: in
CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
 
802.1X info for interface eth2
portEnabled: true - portControl: Auto
portStatus: Unauthorized - currentId: 29
protocol version: 2
reAuthenticate: disabled
reAuthPeriod: 3600
abort:F fail:F start:F timeout:F success:F
PAE: state: Connecting - portMode: Auto
PAE: reAuthCount: 1 - rxRespId: 0
PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
BE: state: Idle - reqCount: 0 - idFromServer: 0
BE: suppTimeout: 30 - serverTimeout: 30
CD: adminControlledDirections: in - operControlledDirections: in
CD: bridgeDetected: false
KR: rxKey: false
KT: keyAvailable: false - keyTxEnabled: false
 
#show dot1x
802.1X Port-Based Authentication Enabled
RADIUS server address: 192.168.1.1:60000
Next radius message id: 147
RADIUS client address: not configured