Overview: configuring 802.1X authentication on the switch

This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, see the following:

  1. Enable 802.1X user-based or port-based authentication on the individual ports you want to serve as authenticators. On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access. See Enable 802.1X authentication on selected ports.

  2. If you want to provide a path for clients without 802.1X supplicant software to download the software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. See 802.1X Open VLAN mode.

  3. Configure the 802.1X authentication type. Options include:
    • Local operator username and password (the default). This option allows a client to use the switch’s local username and password as valid 802.1X credentials for network access.

    • EAP RADIUS: This option requires your RADIUS server application to support EAP authentication for 802.1X

    • CHAP (MD5) RADIUS: This option requires your RADIUS server application to support CHAP (MD5) authentication. See Configuring the 802.1X authentication method.

  4. If you select either eap-radius or chap-radius for step 3, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. See Enter the RADIUS host IP address(es).

  5. Enable 802.1X authentication on the switch. See Enable 802.1X authentication on selected ports.

  6. Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
    NOTE:

    If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.

  7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port. See Port-Security.

  8. If you want a port on the switch to operate as a supplicant on a port operating as an 802.1X authenticator on another device, then configure the supplicant operation. (See Configuring switch ports to operate as supplicants for 802.1X connections to other switches.