Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure 802.1X Portbased Authentication

Network Requirements

  1. The user PC1 and PC2 on one VLAN are connected to IP Network via Device. On Device, enable the 802.1X access control;
  2. The authentication mode adopts the RADIUS authentication;
  3. When the user does not pass the authentication, only permit accessing Update Server; after the user passes the authentication, permit accessing IP Network;
  4. After one user on LAN passes authentication, the other users on the VLAN can access IP Network without authentication.

Network Topology

Networking of configuring 802.1X Portbased authentication

Figure 12–6 Networking of configuring 802.1X Portbased authentication

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2–Vlan5 on Device.

Device#configure terminal
Device(config)# vlan 2-5
Device(config)#exit

#Configure the link type of interface gigabitethernet0/2 as Access, permitting the services of VLAN2 to pass

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode access
Device(config-if-gigabitethernet0/2)#switchport access vlan 2
Device(config-if-gigabitethernet0/2)#exit

#Configure the port link type on gigabitethernet0/3~gigabitethernet0/5 of Device as Access, permitting the services of VLAN3-VLAN5 to pass respectively. (Omitted)

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN5 as 130.255.167.1/24.

Device(config)#interface vlan 5
Device(config-if-vlan5)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan5)#exit

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, and adopt the RADIUS authentication mode. The server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin

Step 4: Configure the AAA server.

#Configure the user name, password and key as admin on the AAA server. (Omitted)

#On the AAA server, configure RADIUS to deliver the three attributes of Auto VLAN: 64 is VLAN, 65 is 802, and 81 is VLAN3. (Omitted)

Step 5: Configure the port 802.1X authentication.

#Enable the 802.1X authentication on the port and the authentication mode is Portbased.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)# authentication port-method portbased
Device(config-if-gigabitethernet0/2)#exit

#Configure Guest VLAN of the port as VLAN4.

Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)# authentication guest-vlan 4
Device(config-if-gigabitethernet0/2)#exit

Step 6: Check the result.

#Before passing the authentication, gigabitethernet0/2 is added to Guest VLAN. Here, PC1 and PC2 users are in VLAN4 and permit accessing Update Server.

Device#show vlan 4
----- ----  ----------   ------  ---------  --------------
NO.   VID   VLAN-Name    Owner   Mode       Interface   
----- ----  ----------   ------  ---------  --------------         
1     4     VLAN0004     static  Untagged   gi0/2  gi0/4 

#Verify that PC1 can pass the authentication; the authentication server delivers VLAN3. Here, PC1 and PC2 users are in VLAN3 and can access IP Network.

Device#show dot1x user
--------------------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS=      Authorized    USER_NAME= admin
         VLAN=    3       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hours 0 minute 51 seconds

 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0