10-26
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based
authentication:
Configuring the Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port
numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port
number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on
a server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service—for example, authentication—the second host entry configured acts as the
fail-over backup to the first one. The RADIUS host entries are tried in the order that they were
configured.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
aaa new-model Enable AAA.
Step 3
aaa authentication dot1x {default}
method1
Create an IEEE 802.1x authentication method list.
To create a default list that is used when a named list is not specified in
the authentication command, use the default keyword followed by the
method that is to be used in default situations. The default method list is
automatically applied to all ports.
For method1, enter the group radius keywords to use the list of all
RADIUS servers for authentication.
Note Though other keywords are visible in the command-line help
string, only the group radius keywords are supported.
Step 4
dot1x system-auth-control Enable IEEE 802.1x authentication globally on the switch.
Step 5
aaa authorization network {default}
group radius
(Optional) Configure the switch to use user-RADIUS authorization for all
network-related service requests, such as per-user ACLs or VLAN
assignment.
Note For per-user ACLs, single-host mode must be configured. This
setting is the default.
Step 6
radius-server host ip-address (Optional) Specify the IP address of the RADIUS server.
Step 7
radius-server key string (Optional) Specify the authentication and encryption key used between
the switch and the RADIUS daemon running on the RADIUS server.
Step 8
interface interface-id Specify the port connected to the client that is to be enabled for
IEEE 802.1x authentication, and enter interface configuration mode.
Step 9
switchport mode access (Optional) Set the port to access mode only if you configured the RADIUS
server in Step 6 and Step 7.
Step 10
dot1x port-control auto Enable IEEE 802.1x authentication on the port.
For feature interaction information, see the “IEEE 802.1x Authentication
Configuration Guidelines” section on page 10-23.
Step 11
end Return to privileged EXEC mode.
Step 12
show dot1x Verify your entries.
Step 13
copy running-config startup-config (Optional) Save your entries in the configuration file.
