Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure Using 802.1x with Port Security

Network Requirements

  • PC is connected to IP Network via Device; Device enables the 802.1X access control and port security;
  • Authentication mode adopts RADIUS authentication.
  • Configure the port security rule of not matching the MAC address of PC1, and PC1 can pass the authentication and access IP Network.
  • Configure the port security deny rule of matching the MAC address of PC2, and PC2 cannot pass the authentication.

Network Topology

Networking of configuring using 802.1X with port security

Figure 12-12 Networking of configuring using 802.1X with port security

Configuration Steps

Step 1: Configure the link type of the VLAN and interface on Device.

#Create VLAN2, VLAN4, and VLAN5 on Device, configure the port link type as Hybrid on gigabitethernet0/2, permit the services of VLAN2 to pass and configure PVID as 2.

Device#configure terminal
Device(config)#vlan 2,4
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode hybrid
Device(config-if-gigabitethernet0/2)#switchport hybrid untagged vlan 2
Device(config-if-gigabitethernet0/2)#switchport hybrid pvid vlan 2
Device(config-if-gigabitethernet0/2)#exit

#On gigabitethernet0/4 of Device, configure the port link type as Access, permit the services of VLAN4 to pass (omitted).

Step 2: Configure the interface IP address of Device.

#Configure the IP address of VLAN4 as 130.255.167.1/24.

Device(config)#intergice vlan 4
Device(config-if-vlan4)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan4)#exit

Step 3: Configure the AAA authentication.

#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.

Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin

Step 4: Configure the AAA server.

#On the AAA server, configure the user name and password and key value as admin (omitted).

Step 5: Configure the 802.1X authentication on Device.

#Enable the 802.1X authentication on gigabitethernet0/2.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)#exit

Step 6: Configure the port security on Device.

#Enable the port security on the port gigabitethernet0/2.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#port-security enable
Device(config-if-gigabitethernet0/2)exit

#Configure the port security rule on the port gigabitethernet0/2.

Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#port-security deny mac-address 3883.45EF.7984
Device(config-if-gigabitethernet0/2)exit

Step 7: Check the result.

#PC1 user can authenticate successfully and access IP Network after passing the authentication.

Device#show dot1x user 
--------------------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.f381 STATUS=     Authorized    USER_NAME= admin
         VLAN=    2       INTERFACE= gi0/2            USER_TYPE= DOT1X
         AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE             IP_ADDRESS= Unknown
         IPV6_ADDRESS= Unknown
 
         Online time: 0 week 0 day 0 hour 0 minute 1 second

 Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0

#PC2 user cannot authenticate successfully and cannot access the network.