How to configure 802.1x (dot1x) on Cisco CatOS Switches

This document describes how to configure IEEE 802.1X  port-based authentication to prevent unauthorized devices (clients) from gaining access to the network.  In below example describes how to configure 802.1x (dot1x) port-based authentication on Cisco CatOS 6500 series switches. Cisco 802.1x also referred as dot1x.

Step by Step Dot1x Configuration on Cisco CatOS switch

Enable dot1x authentication on CatOS Switch

set dot1x system-auth-control enable
set dot1x quiet-period 30
set dot1x re-authperiod 30

Configure system name

set system name  Cisco_6509

Configure Radius Server for Authentication

set radius server 10.50.100.1 auth-port 1812 primary
set radius key openthedoor

Configure Dot1x on Specific Switch Ports

set port dot1x 3/45 port-control auto
set port dot1x 3/46 port-control auto
set port dot1x 3/47 port-control auto
set port dot1x 3/48 port-control auto
set port dot1x 3/45 re-authentication enable
set port dot1x 3/46 re-authentication enable
set port dot1x 3/47 re-authentication enable
set port dot1x 3/48 re-authentication enable
set port dot1x 3/1-48 auth-fail vlan 666 (This defines what VLAN to assign to
clients that fail authentication 3 times)

Cisco catalyst switches have the ability to periodically refresh 802.1x (dot1x) authentications, if required. We can enable this is a global configuration and cannot be defined on a per-port basis.

set dot1x re-authperiod 4000
set port dot1x 0/5 re-authentication enable

You can force a manual re -authentication on a per-port basis, with this command:

 set port dot1x 0/5 re-authenticate

Check dot1x status on CatOS Switch

 show port dot1x ?

show port dot1x auth-fail-vlan (Shows who failed authentications)

 

Filed Under: LAN Security

Tags:

About the Author:

RSSComments (0)

Trackback URL

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.