Network Requirements
- PC is connected to IP Network via Device; Device enables the 802.1X access control;
- Authentication mode adopts RADIUS authentication.
- When PC fails to authenticate because the server is not available, only permit accessing Update Server.
Network Topology
Figure 12-11 Networking of configuring 802.1X Critical VLAN
Configuration Steps
Step 1: Configure the link type of the VLAN and interface on Device.
#Create VLAN2, VLAN4, and VLAN5 on Device, configure the port link type as Hybrid on gigabitethernet0/2, permit the services of VLAN2 to pass and configure PVID as 2.
Device#configure terminal
Device(config)#vlan 2,4,5
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode hybrid
Device(config-if-gigabitethernet0/2)#switchport hybrid untagged vlan 2
Device(config-if-gigabitethernet0/2)#switchport hybrid pvid vlan 2
Device(config-if-gigabitethernet0/2)#exit
|
#On gigabitethernet0/5 of Device, configure the port link type as Access, permit the services of VLAN5 to pass (omitted).
#Configure the port link type as Access on gigabitethernet0/4 of Device, permit the services of VLAN4 to pass (omitted).
Step 2: Configure the interface IP address of Device.
#Configure the IP address of VLAN4 as 130.255.167.1/24.
Device(config)#intergice vlan 4
Device(config-if-vlan4)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan4)#exit
|
Step 3: Configure the AAA authentication.
#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.
Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin
|
Step 4: Configure the AAA server.
#On the AAA server, configure the user name and password and key value as admin (omitted).
Step 5: Configure the 802.1X authentication on Device.
#Enable the 802.1X authentication of gigabitethernet 0/2.
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)#exit
|
#Enable MAC VLAN of gigabitethernet0/2.
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#mac-vlan enable
Device(config-if-gigabitethernet0/2)exit
|
#Configure Critical VLAN of the port as VLAN5.
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)# authentication critical-vlan 5
Device(config-if-gigabitethernet0/2)#exit
|
Step 6: Check the result.
#Because the server is abnormal, Device cannot ping the server. As a result, the user authentication fails because the server is not available. PC user is in Critical VLAN and can access Update Server.
Device#show dot1x user
----------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS= Unauth(critical) USER_NAME= admin
VLAN= 5 INTERFACE= gi0/2 USER_TYPE= DOT1X
AUTH_STATE= CRITICAL_HELD BACK_STATE= IDLE IP_ADDRESS= Unknown
IPV6_ADDRESS= Unknown
Total: 1 Authorized: 0 Unauthorized/guest/critical: 0/0/1 Unknown: 0
#The port gigabitethernet0/2 is added to Critical VLAN.
Device#show vlan 5
---- ---- --------- ----- -------- ------------
NO. VID VLAN-Name Owner Mode Intergice
---- ---- --------- ----- -------- ------------
1 5 VLAN5 static Untagged gi0/2 gi0/5