General Setup Procedure for 802.1X Access Control

Follow These Steps Before You Configure 802.1X Operation:

Procedure
  1. Configure a local user name and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, Hewlett Packard Enterprise recommends that you use a local user name and password pair at least until your other security measures are in place.)
  2. Enable include-credentials. The port-access option is available only if include-credentials is enabled. See Security settings that can be saved.
  3. For switches covered in this guide, the local operator password configured with the password command is not accepted as an 802.1X authenticator credential. The port-access command is used to configure the operator user name and password that are used as 802.1X credentials for network access to the switch. 802.1X network access is not allowed unless a password has been configured using the password port-access command.
    
    password port-access [user-name <name>]<password>
    
    Configures the operator user name and password used to access the network through 802.1X authentication.
    user-name <name>
    Operator user name (text string) used only for local authentication of 802.1X clients. This value is different from the local operator user name configured with the password command for management access.
    <password>
    Operator password (text string) used only for local authentication of 802.1X clients. This value is different from the local operator password configured with the password command for management access.

    Example of how to configure a local operator password for 802.1X access:

    switch(config)# password port-access user-name Jim secret3

    You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more information, see Saving user name and password security.

  4. Determine the switch ports that you want to configure as authenticators and supplicants, and disable LACP on these ports.
  5. To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command as shown in the following example:
    # show port-access config
    Port Access Status Summary
    
    Port-access authenticator activated [No] : No
    Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
    
                                                     Port
           802.1X 802.1X Web  Mac  LMA   Ctrl Mixed  Speed      
      Port Supp   Auth   Auth Auth Auth  Dir   Mode  VSA   MBV
    --- ------ ------ ---- ---- ----  ----- ----- ----- --------
      C1   No     Yes    No   No   No    In    No    Yes   Yes
      C2   No     Yes    No   No   No    Both  Yes   Yes   Yes
      C3   No     Yes    No   No   No    Both  No    No    Yes
      C4   No     Yes    No   No   Yes   Both  No    Yes   Yes
    
  6. Determine whether to use user-based access control, see 802.1X User-based access control or portbased access control, see 802.1X Port-based access control.
  7. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode.
  8. For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local user name/password pair that you assign to the switch.)
  9. Unless you are using only the switch’s local user name and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.