To enable and activate 802.1X authentication, perform the following steps.
802.1x authentication requires some prerequisite tasks be performed before executing 802.1x authentication configurations at the global and interface levels. Before configuring 802.1x authentication, communication between the devices and the authentication server must be established. The following configurations must be completed before configuring 802.1X authentication:
- Configure the RADIUS server to authenticate access to the device. The
radius-server host command adds the RADIUS server to the device as the authentication server. This command can be repeated for additional servers. The
radius-server host command attempts to connect to the first RADIUS server. If the RADIUS server is not reachable, the next RADIUS server is contacted. If the RADIUS server is contacted and the authentication fails, the authentication process does not check for the next server in the sequence.
Note
If multiple RADIUS servers are configured, the recommended configuration for RADIUS server retries is 2.
-
(Optional) Enable the 802.1X readiness check on the device to determine if the devices connected to the switch ports are 802.1X-capable.
device# dot1x test eapol-capable interface ethernet 1/1
device# 2016/07/18-00:49:03, [DOT1-1012], 5006, M2 | Active | DCE, INFO, sw0, DOT1X_PORT_EAPOL_CAPABLE: Peer connected to port Ethernet 1/1 is EAPOL capable.
-
Enter global configuration mode.
device# configure terminal
-
Enable 802.1X authentication globally.
device(config)# dot1x enable
If you globally disable 802.1X authentication, then all interface ports with 802.1X authentication enabled, automatically switch to force-authorized port control mode.
-
Enter interface configuration mode to configure interface-specific administrative features for 802.1X authentication.
device(config)# interface Ethernet 1/1
-
Enable 802.1X authentication on a specific interface port.
device(conf-if-eth-1/1)# dot1x authentication
-
Enter the
dot1x port-control auto command to set the controlled port in the unauthorized state until authentication takes place between the client and the authentication server.
device(conf-if-eth-1/1)# dot1x port-control auto
The action activates authentication on an 802.1X-enabled interface. Once the client passes authentication, the port becomes authorized for that client. The controlled port remains in the authorized state for that client until the client logs off .
-
(Optional) Configure the device to periodically reauthenticate the clients connected to 802.1X-enabled interfaces at regular intervals.
device(conf-if-eth-1/1)# dot1x reauthentication
When you enable periodic reauthentication, the device reauthenticates the clients every 3,600 seconds by default.
-
(Optional) Configure the timeout parameters that determine the time interval for client reauthentication and EAP retransmissions using the following commands:
Based on the timeout parameters, client reauthentication and retransmission of EAP-Request/Identity frames and EAP-Request/Challenge frames is performed.
-
(Optional) Configure the maximum number of reauthentication attempts before the port goes to the unauthorized state.
device(conf-if-eth-1/1)# dot1x reauthMax 3
-
(Optional) Configure the time interval the device remains idle between a failed authentication and a reauthentication attempt.
device(conf-if-eth-1/1)# dot1x quiet-period 30
-
(Optional) Enter the no dot1x
filter-strict-security command to authenticate the client even if
the Filter-Id attribute returned by RADIUS contains invalid information.
device(conf-if-eth-1/1)# no dot1x filter-strict-security
By default, strict security
mode is enabled.
