General setup procedure for 802.1X access control

Do these steps before you configure 802.1X operation.

Procedure
  1. Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, Hewlett Packard Enterprise recommends that you use a local username and password pair at least until your other security measures are in place.)
  2. Enable include-credentials. The port-access option is available only if include-credentials is enabled. See MAC authentication.

    For switches covered in this guide, the local operator password configured with the password command is not accepted as an 802.1X authenticator credential. The port-access command is used to configure the operator username and password that are used as 802.1X credentials for network access to the switch. 802.1X network access is not allowed unless a password has been configured using the password port-access command.

    
    password port-access [user-name <name>]<password>
    

    Configures the operator username and password used to access the network through 802.1X authentication.

    user-name <name>

    operator username (text string) used only for local authentication of 802.1X clients. This value is different from the local operator username configured with the password command for management access.

    <password>

    operator password (text string) used only for local authentication of 802.1X clients. This value is different from the local operator password configured with the password command for management access.

    The password port-access command

    switch(config)# password port-access user-name Jim secret3
    You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more information, see Saving security credentials in a config file.
  3. Determine the switch ports that you want to configure as authenticators and/or supplicants, and disable LACP on these ports.

    To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command.

    Output for the show port-access config command

    switch (config)# show port-access config
    
    Port-access authenticator activated [No] : No
    Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
    
         Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl  Mixed Speed
    Port Enabled    Enabled       Enabled  Enabled  Enabled  Dir   Mode  VSA   MBV
    ---- ---------  ------------ -------- -------- -------- -----  ----  ----  ---
    C1   No         Yes           No       No       No       In    No    Yes   Yes
    C2   No         Yes           No       No       No       Both  Yes   Yes   Yes
    C3   No         Yes           No       No       No       Both  No    No    Yes
    C4   No         Yes           No       No       Yes      Both  No    Yes   Yes
    ...
    
  4. Determine whether to use user-based access control, see 802.1X user-based access control or port-based access control, see 802.1X port-based access control.
  5. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode.
  6. For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)
  7. Unless you are using only the switch’s local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.