Network Requirements
- The user PC1 and PC2 on one VLAN are connected to IP Network via Device. On Device, enable the 802.1X access control;
- The authentication mode adopts the RADIUS authentication;
- When the user does not pass the authentication, only permit accessing Update Server; after the user passes the authentication, permit accessing IP Network;
- After one user on LAN passes authentication, the other users on the VLAN can access IP Network without authentication.
Network Topology
Figure 12–6 Networking of configuring 802.1X Portbased authentication
Configuration Steps
Step 1: Configure the link type of the VLAN and interface on Device.
#Create VLAN2–Vlan5 on Device.
|
Device#configure terminal
Device(config)# vlan 2-5
Device(config)#exit
|
#Configure the link type of interface gigabitethernet0/2 as Access, permitting the services of VLAN2 to pass
|
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode access
Device(config-if-gigabitethernet0/2)#switchport access vlan 2
Device(config-if-gigabitethernet0/2)#exit
|
#Configure the port link type on gigabitethernet0/3~gigabitethernet0/5 of Device as Access, permitting the services of VLAN3-VLAN5 to pass respectively. (Omitted)
Step 2: Configure the interface IP address of Device.
#Configure the IP address of VLAN5 as 130.255.167.1/24.
|
Device(config)#interface vlan 5
Device(config-if-vlan5)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan5)#exit
|
Step 3: Configure the AAA authentication.
#Enable the AAA authentication on Device, and adopt the RADIUS authentication mode. The server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.
|
Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin
|
Step 4: Configure the AAA server.
#Configure the user name, password and key as admin on the AAA server. (Omitted)
#On the AAA server, configure RADIUS to deliver the three attributes of Auto VLAN: 64 is VLAN, 65 is 802, and 81 is VLAN3. (Omitted)
Step 5: Configure the port 802.1X authentication.
#Enable the 802.1X authentication on the port and the authentication mode is Portbased.
|
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)# authentication port-method portbased
Device(config-if-gigabitethernet0/2)#exit
|
#Configure Guest VLAN of the port as VLAN4.
|
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)# authentication guest-vlan 4
Device(config-if-gigabitethernet0/2)#exit
|
Step 6: Check the result.
#Before passing the authentication, gigabitethernet0/2 is added to Guest VLAN. Here, PC1 and PC2 users are in VLAN4 and permit accessing Update Server.
Device#show vlan 4
----- ---- ---------- ------ --------- --------------
NO. VID VLAN-Name Owner Mode Interface
----- ---- ---------- ------ --------- --------------
1 4 VLAN0004 static Untagged gi0/2 gi0/4
#Verify that PC1 can pass the authentication; the authentication server delivers VLAN3. Here, PC1 and PC2 users are in VLAN3 and can access IP Network.
Device#show dot1x user
--------------------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS= Authorized USER_NAME= admin
VLAN= 3 INTERFACE= gi0/2 USER_TYPE= DOT1X
AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE IP_ADDRESS= Unknown
IPV6_ADDRESS= Unknown
Online time: 0 week 0 day 0 hours 0 minute 51 seconds
Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0
Switch
.png){kind=icon}
.png){kind=logo}
