Port access configuration task list

The following example shows the tasks that need to be performed to configure port access.

Note that before enabling 802.1X on the switch, first set up an authentication (RADIUS) server for the switch to use. Identify of the authentication server must be known before the following tasks can be performed.

Port access 802.1X and MAC authentication configuration example

Step 1: Configure the radius server group

The server order defines the priority order.

Switch(config)# aaa group server radius AAA-RADIUS Switch(config-sg)# server tmeswitching1.aaa Switch(config-sg)# server tmeswitching2.aaa Switch(config-sg)# server tmeswitching3.aaa

Step 2: Configure the DNS server

If you define a FQDN (fully qualified domain name) for the RADIUS server, you must define a DNS server to resolve the name to an IP address:

Switch(config)# ip dns domain-name aaa Switch(config)# ip dns server-address 10.20.10.11 Switch(config)# ip dns server-address 10.20.10.12

Step 3: Configure the RADIUS server secret key

Switch(config)# radius-server host tmeswitching1.aaa key plaintext admin123 Switch(config)# radius-server host tmeswitching2.aaa key plaintext admin@123 Switch(config)# radius-server host tmeswitching3.aaa key plaintext admin#123

Step 4: Configure the Downloadable User Role (DUR) using ClearPass

Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa clearpass-username <USER> clearpass-password plaintext <PASS> vrf <VRF>

Step 5: Configure RADIUS server tracking

Configure the tracking:

Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa tracking enable vrf <VRF>

Configure the tracking mode (any or dead-only):

Switch(config)# Switch(config)# radius-server host tmeswitching1.aaa tracking-mode enable vrf <VRF>

Step 6: Configure RADIUS dynamic authorization

Switch(config)# radius dyn-authorization enable Switch(config)# radius dyn-authorization client tmeswitching1.aaa secret-key plaintext admin123 Switch(config)# radius dyn-authorization client tmeswitching2.aaa secret-key plaintext admin@123

Step 7: Configure AAA authentication fail-through

Switch(config)# aaa authentication allow-fail-through

Step 8: Configure port access authentication on an access port

Switch(config)# interface 1/1/1 Switch(config-if)# aaa authentication port-access auth-precedence mac-auth dot1x Switch(config-if)# aaa authentication port-access client-limit 3 Switch(config-if)# aaa authentication port-access dot1x authenticator Switch(config-if-dot1x-auth)# cached-reauth Switch(config-if-dot1x-auth)# cached-reauth-period 60 (default is 30sec) Switch(config-if-dot1x-auth)# max-eapol-requests 1 Switch(config-if-dot1x-auth)# max-retries 1 Switch(config-if-dot1x-auth)# quiet-period 5 Switch(config-if-dot1x-auth)# discovery-period 10 Switch(config-if-dot1x-auth)# enable Switch(config-if-dot1x-auth)# exit Switch(config-if)# Switch(config-if# aaa authentication port-access mac-auth Switch(config-if-macauth)# enable Switch(config-if-macauth)# end Switch# end

These commands are available for tuning 802.1X authentication:

  • aaa authentication port-access dot1x authenticator max-eapol-requests
  • aaa authentication port-access dot1x authenticator max-retries
  • aaa authentication port-access dot1x authenticator quiet-period
  • aaa authentication port-access dot1x authenticator discovery-period

See also: