AOS-CX 10.10 Security Guide Help Center
Port access configuration task list
The following example shows the tasks that need to be performed to configure port access.
Note that before enabling 802.1X on the switch, first set up an authentication (RADIUS) server for the switch to use. Identify of the authentication server must be known before the following tasks can be performed.
Port access 802.1X and MAC authentication configuration example
Step 1: Configure the radius server group
The server order defines the priority order.
Switch(config)# aaa group server radius AAA-RADIUS
Switch(config-sg)# server tmeswitching1.aaa
Switch(config-sg)# server tmeswitching2.aaa
Switch(config-sg)# server tmeswitching3.aaa
Step 2: Configure the DNS server
If you define a FQDN (fully qualified domain name) for the RADIUS server, you must define a DNS server to resolve the name to an IP address:
Switch(config)# ip dns domain-name aaa
Switch(config)# ip dns server-address 10.20.10.11
Switch(config)# ip dns server-address 10.20.10.12
Step 3: Configure the RADIUS server secret key
Switch(config)# radius-server host tmeswitching1.aaa key plaintext admin123
Switch(config)# radius-server host tmeswitching2.aaa key plaintext admin@123
Switch(config)# radius-server host tmeswitching3.aaa key plaintext admin#123
Step 4: Configure the Downloadable User Role (DUR) using ClearPass
Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa clearpass-username <USER> clearpass-password plaintext <PASS> vrf <VRF>
Step 5: Configure RADIUS server tracking
Configure the tracking:
Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa tracking enable vrf <VRF>
Configure the tracking mode (any or dead-only):
Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa tracking-mode enable vrf <VRF>
Step 6: Configure RADIUS dynamic authorization
Switch(config)# radius dyn-authorization enable
Switch(config)# radius dyn-authorization client tmeswitching1.aaa secret-key plaintext admin123
Switch(config)# radius dyn-authorization client tmeswitching2.aaa secret-key plaintext admin@123
Step 7: Configure AAA authentication fail-through
Switch(config)# aaa authentication allow-fail-through
Step 8: Configure port access authentication on an access port
Switch(config)# interface 1/1/1
Switch(config-if)# aaa authentication port-access auth-precedence mac-auth dot1x
Switch(config-if)# aaa authentication port-access client-limit 3
Switch(config-if)# aaa authentication port-access dot1x authenticator
Switch(config-if-dot1x-auth)# cached-reauth
Switch(config-if-dot1x-auth)# cached-reauth-period 60 (default is 30sec)
Switch(config-if-dot1x-auth)# max-eapol-requests 1
Switch(config-if-dot1x-auth)# max-retries 1
Switch(config-if-dot1x-auth)# quiet-period 5
Switch(config-if-dot1x-auth)# discovery-period 10
Switch(config-if-dot1x-auth)# enable
Switch(config-if-dot1x-auth)# exit
Switch(config-if)#
Switch(config-if# aaa authentication port-access mac-auth
Switch(config-if-macauth)# enable
Switch(config-if-macauth)# end
Switch# end
These commands are available for tuning 802.1X authentication:
- aaa authentication port-access dot1x authenticator max-eapol-requests
- aaa authentication port-access dot1x authenticator max-retries
- aaa authentication port-access dot1x authenticator quiet-period
- aaa authentication port-access dot1x authenticator discovery-period
See also: