Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure 802.1X Critical VLAN

Network Requirements

  • PC is connected to IP Network via Device; Device enables the 802.1X access control;
  • Authentication mode adopts RADIUS authentication.
  • When PC fails to authenticate because the server is not available, only permit accessing Update Server.

Network Topology

Networking of configuring 802.1X Critical VLAN

Figure 12-11 Networking of configuring 802.1X Critical VLAN

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2, VLAN4, and VLAN5 on Device, configure the port link type as Hybrid on gigabitethernet0/2, permit the services of VLAN2 to pass and configure PVID as 2.

Device#configure terminal
Device(config)#vlan 2,4,5
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode hybrid
Device(config-if-gigabitethernet0/2)#switchport hybrid untagged vlan 2
Device(config-if-gigabitethernet0/2)#switchport hybrid pvid vlan 2
Device(config-if-gigabitethernet0/2)#exit

#On gigabitethernet0/5 of Device, configure the port link type as Access, permit the services of VLAN5 to pass (omitted).

#Configure the port link type as Access on gigabitethernet0/4 of Device, permit the services of VLAN4 to pass (omitted).

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN4 as 130.255.167.1/24.

Device(config)#intergice vlan 4
Device(config-if-vlan4)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan4)#exit

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin

Step 4: Configure the AAA server.

#On the AAA server, configure the user name and password and key value as admin (omitted).

Step 5: Configure the 802.1X authentication on Device.

#Enable the 802.1X authentication of gigabitethernet 0/2.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)#exit

#Enable MAC VLAN of gigabitethernet0/2.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#mac-vlan enable
Device(config-if-gigabitethernet0/2)exit

#Configure Critical VLAN of the port as VLAN5.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)# authentication critical-vlan 5
Device(config-if-gigabitethernet0/2)#exit

Step 6: Check the result.

#Because the server is abnormal, Device cannot ping the server. As a result, the user authentication fails because the server is not available. PC user is in Critical VLAN and can access Update Server.

Device#show dot1x user
----------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=     Unauth(critical) USER_NAME= admin
         VLAN=    5       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= CRITICAL_HELD BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
 Total: 1 Authorized: 0 Unauthorized/guest/critical: 0/0/1 Unknown: 0

#The port gigabitethernet0/2 is added to Critical VLAN.

Device#show vlan 5 
---- ---- ---------  -----  --------  ------------
NO.  VID  VLAN-Name  Owner  Mode      Intergice  
---- ---- ---------  -----  --------  ------------          
1    5    VLAN5      static Untagged  gi0/2  gi0/5