802.1X Configuration

OcNOS SP : Layer 2 Guide : Layer 2 Configuration Guide : 802.1X Configuration

IEEE 802.1x restricts unauthenticated devices from connecting to a switch. Only after authentication is successful, traffic is allowed through the switch.

Topology

In this example, a radius server keeps the client information, validating the identity of the client and updating the switch about the authentication status of the client. The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, enable authentication on ports eth1 and eth2 and specify the radius server IP address and port.

802.1x Topology

Switch Configuration

Switch#configure terminal	Enter configure mode.
Switch(config)#port-security disable	Disable the port-security.
Switch(config)#dot1x system-auth-ctrl	Enable authentication globally.
Switch(config)#interface eth2	Enter interface mode.
Switch(config-if)#switchport	Enable switch port on interface.
Switch(config-if)#dot1x port-control auto	Enable authentication (via Radius) on port (eth2).
Switch(config-if)#exit	Exit interface mode.
Switch(config)#interface eth1	Enter interface mode.
Switch(config-if)#switchport	Enable switch port on interface.
Switch(config-if)#dot1x port-control auto	Enable authentication (via Radius) on port (eth1).
Switch(config-if)#exit	Exit interface mode.
Switch(config)#radius-server dot1x key-string testing123	Specify key with string name between radius server and client
Switch(config)#radius-server dot1x host 192.126.12.1	Specify the Radius Server address (192.126.12.1)
Switch(config-radius-server)#exit	Exit from radius server mode.
Switch(config)#interface eth3	Enter interface mode.
Switch(config-if)#ip address 192.126.12.2/24	Set the IP address on interface eth3.
Switch(config-if)#commit	Commit the transaction.
Switch(config-if)#exit	Exit interface mode.

Validation

show dot1x, show dot1x all

#show dot1x all

802.1X Port-Based Authentication Enabled

RADIUS server address: 192.126.12.1:1812

Next radius message id: 0

RADIUS client address: not configured

802.1X info for interface ge1

Supplicant address: 0000.0000.0000

portEnabled: true - portControl: Auto

portStatus: Unauthorized - currentId: 1

protocol version: 2

reAuthenticate: disabled

reAuthPeriod: 3600

abort:F fail:F start:F timeout:F success:F

PAE: state: Connected - portMode: Auto

PAE: reAuthCount: 0 - rxRespId: 0

PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30

BE: state: Invalid - reqCount: 0 - idFromServer: 0

BE: suppTimeout: 30 - serverTimeout: 30

CD: adminControlledDirections: in - operControlledDirections: in

CD: bridgeDetected: false

KR: rxKey: false

KT: keyAvailable: false - keyTxEnabled: false

#show dot1x

802.1X Port-Based Authentication Enabled

RADIUS server address: 192.126.12.1:1812

Next radius message id: 0

RADIUS client address: not configured