Network Requirements
- PC is connected to IP Network via Device; Device enables the 802.1X access control and port security;
- Authentication mode adopts RADIUS authentication.
- Configure the port security rule of not matching the MAC address of PC1, and PC1 can pass the authentication and access IP Network.
- Configure the port security deny rule of matching the MAC address of PC2, and PC2 cannot pass the authentication.
Network Topology
Figure 12-12 Networking of configuring using 802.1X with port security
Configuration Steps
Step 1: Configure the link type of the VLAN and interface on Device.
#Create VLAN2, VLAN4, and VLAN5 on Device, configure the port link type as Hybrid on gigabitethernet0/2, permit the services of VLAN2 to pass and configure PVID as 2.
|
Device#configure terminal
Device(config)#vlan 2,4
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#switchport mode hybrid
Device(config-if-gigabitethernet0/2)#switchport hybrid untagged vlan 2
Device(config-if-gigabitethernet0/2)#switchport hybrid pvid vlan 2
Device(config-if-gigabitethernet0/2)#exit
|
#On gigabitethernet0/4 of Device, configure the port link type as Access, permit the services of VLAN4 to pass (omitted).
Step 2: Configure the interface IP address of Device.
#Configure the IP address of VLAN4 as 130.255.167.1/24.
|
Device(config)#intergice vlan 4
Device(config-if-vlan4)#ip address 130.255.167.1 255.255.255.0
Device(config-if-vlan4)#exit
|
Step 3: Configure the AAA authentication.
#Enable the AAA authentication on Device, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the RADIUS server address is 130.255.167.167/24.
|
Device(config)#domain system
Device(config-isp-system)# aaa authentication dot1x radius-group radius
Device(config-isp-system)#exit
Device(config)#aaa server group radius radius
Device(config-sg-radius-radius)#server 130.255.167.167 priority 1 key admin
|
Step 4: Configure the AAA server.
#On the AAA server, configure the user name and password and key value as admin (omitted).
Step 5: Configure the 802.1X authentication on Device.
#Enable the 802.1X authentication on gigabitethernet0/2.
|
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dot1x port-control enable
Device(config-if-gigabitethernet0/2)#exit
|
Step 6: Configure the port security on Device.
#Enable the port security on the port gigabitethernet0/2.
|
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#port-security enable
Device(config-if-gigabitethernet0/2)exit
|
#Configure the port security rule on the port gigabitethernet0/2.
|
Device(config)#intergice gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#port-security deny mac-address 3883.45EF.7984
Device(config-if-gigabitethernet0/2)exit
|
Step 7: Check the result.
#PC1 user can authenticate successfully and access IP Network after passing the authentication.
Device#show dot1x user
--------------------------------------------------
NO 1 : MAC_ADDRESS= 3883.45ef.f381 STATUS= Authorized USER_NAME= admin
VLAN= 2 INTERFACE= gi0/2 USER_TYPE= DOT1X
AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE IP_ADDRESS= Unknown
IPV6_ADDRESS= Unknown
Online time: 0 week 0 day 0 hour 0 minute 1 second
Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0
#PC2 user cannot authenticate successfully and cannot access the network.
Switch
.png){kind=icon}
.png){kind=logo}
