Configuring General 802.1X Operation

These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.

Procedure
  1. Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to auto (the default). (See Enabling 802.1X authentication on selected ports.) This setting requires a client to support 802.1X authentication (with 802.1X supplicant operation) and to provide valid credentials to get network access.
    
    aaa port-access authenticator <port-list> control auto
    

    Activates 802.1X port-access on ports you have configured as authenticators.

  2. Configure the 802.1X authentication type.
    
    aaa authentication port-access <local | eap-radius | chap-radius>
    

    Determines the type of RADIUS authentication to use.

    local

    Use the switch’s local user name and password for supplicant authentication (the default).

    eap-radius

    Use EAP-RADIUS authentication, (see the documentation for your RADIUS server.)

    chap-radius

    Use CHAP-RADIUS (MD5) authentication, (see the documentation for your RADIUS server software.)

  3. If you selected either eap-radius or chap-radius, use the radius host command to configure up to three RADIUS server IP addresses on the switch.
    
    radius host <ip-address> [oobm]
    

    Adds a server to the RADIUS configuration. For switches that have a separate out-of-band management port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port.

    
    [key <server-specific key-string>]
    

    Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

    
    radius-server key <global key-string>
    

    Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key. The tilde (~) character is allowed in the string, for example, radiusserver key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

    Default: Null

    The no form of the command removes the global encryption key.

  4. Activate authentication on the switch.
    
    aaa port-access authenticator active
    

    Activates 802.1X port-access on ports you have configured as authenticators.

  5. Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.

NOTE:

If you want to implement the optional port-security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then see Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices.

After you complete steps 1 and 2, the configured ports are enabled for 802.1X authentication (without VLAN operation), and you are ready to configure VLAN Operation.