Configure 802.1X Macbased Authentication

Network Requirements

1. The user PC1 and PC2 on one VLAN are connected to IP Network via Device. Device adopts the 802.1X access control;
2. The authentication mode adopts the RADIUS authentication;
3. When PC does not pass the authentication, only permit accessing Update Server; after passing the authentication, only permit accessing IP Network;
4. After one user on LAN passes authentication, the other users on the VLAN still cannot access IP Network without passing the authentication.

Network Topology

Figure 12-7 Networking of configuring 802.1X Macbased authentication

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2–VLAN5 on Device.

#Configure the link type of interface gigabitethernet 0/2 as Hybrid, permitting services of VLAN2 to pass. Conifgure PVID as 2.

#Configure the port link type on gigabitethernet0/3-gigabitethernet0/5 of Device as Access, permitting the services of VLAN3-VLAN5 to pass respectively. (Omitted)

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN5 as 130.255.167.1/24.

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Step 4: Configure the AAA server.

#Configure the user name, password and key as admin on the AAA server. (Omitted)

#On the AAA server, configure RADIUS to deliver the three attributes of Auto VLAN: 64 is VLAN, 65 is 802, and 81 is VLAN3. (Omitted)

Step 5: Configure the 802.1X authentication.

#Enable the 802.1X authentication on the port and configure the authentication mode as Macbased.

#Enable MAC VLAN of gigabitethernet0/2.

#Configure Guest VLAN of the port as VLAN4.

Step 6: Check the result.

#Before passing the authentication, gigabitethernet0/2 is added to Guest VLAN. Here. PC1 and PC2 are in VLAN4, and PC1 and PC2 can access Update server.

Device#show vlan 4 
---- ---- ----------  ------  --------  -----------------
NO.  VID  VLAN-Name   Owner   Mode      Interface            
1    4    VLAN0004    static  Untagged  gi0/2  gi0/4 

#After the PC1 user initiates the authentication and passes the authentication, PC1 user is in Auto VLAN3 and can access IP Network. Here, PC2 still cannot access IP Network without authentication.

Device#show dot1x user
---------------------------------------  
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=     Authorized    USER_NAME= admin
         VLAN=    3       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hours 0 minute 51 seconds

 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0

#After PC2 user inputs the wrong user name or password and failed to be authenticated, PC2 user is in Guest VLAN4 and can access Update Server.

Device#show dot1x user 
------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.f395 STATUS=     Unauth(guest)   USER_NAME= admin
        VLAN=    4              INTERFACE= gi0/2             USER_TYPE= DOT1X
        AUTH_STATE= GUEST_HELD     BACK_STATE= IDLE               IP_ADDRESS= Unknown
        IPV6_ADDRESS= Unknown
 
Total:1  Authorized: 0 Unauthorized/guest/critical: 0/1/0 Unknown: 0