Network Requirements
- The access device Device1 is connected to IP Network via the authentication device Device2; Device2 adopts the device authentication access control.
- The access device Device1 regularly initiates the keepalive authentication.
- During authentication, use the RADIUS authentication mode.
- After passing the access device authentication, PC permits accessing the network.
Network Topology
Figure 14-2 Networking of configuring trusted device access
Configuration Steps
Step 1: On Device1, configure the link type of the VLAN and port.
#On gigabitethernet 0/2 of Device1, configure the port link type as Access, permitting the services of VLAN2 to pass.
Device1(config)#interface gigabitethernet 0/2
Device1(config-if-range)#switchport mode access
Device1(config-if-range)#switchport access vlan 2
Device1(config-if-range)#exit
|
#On gigabitethernet 0/1 of Device1, configure the port link type as Hybrid, and the port is added to VLAN2 in the Tagged mode.
Device1(config)#interface gigabitethernet 0/1
Device1(config-if-range)#switchport mode hybrid
Device1(config-if-range)#switchport hybrid tagged vlan 2
Device1(config-if-range)#exit
|
Step 2: On Device2, configure the link type of the VLAN and port.
#On Device2, create VLAN2~VLAN3.
Device2#configure terminal
Device2(config)#vlan 2-3
Device2(config)#exit
|
#On gigabitethernet 0/1 of Device2, configure the port link type as Hybrid, and the port is added to VLAN2 in the Tagged mode.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-range)#switchport mode hybrid
Device2(config-if-range)# switchport hybrid tagged vlan 2
Device2(config-if-range)#exit
|
#On gigabitethernet 0/2-gigabitethernet 0/3 of Device2, configure the port link type as Access, permitting the services of VLAN2~VLAN3 to pass. (omitted)
Step 3: Configure the interface IP address of Device2.
#On Device2, configure the IP address of VLAN3 as 130.255.167.1/24.
Device2(config)#interface vlan 3
Device2(config-if-vlan3)#ip address 130.255.167.1 255.255.255.0
Device2(config-if-vlan3)#exit
|
Step 4 : On Device2, configure the AAA authentication.
#On Device2, enable the AAA authentication, adopt the RADIUS authentication mode, the server key is admin, the priority is 1, and the address of the RADIUS server is 130.255.167.167/24.
Device2(config)#aaa new-model
Device2(config)#aaa authentication connection default radius
Device2(config)#radius-server host 130.255.167.167 priority 1 key admin
|
Step 5 : Configure the AAA server.
# On the AAA server, configure the user name, password and key as admin. (Omitted)
Step 6 : On Device1, configure the trusted device access.
#On Device1, configure the user name and password of the trusted device access authentication.
Device1(config)#interface gigabitethernet 0/1
Device1(config-if-gigabitethernet0/1)#dot1x client user admin password 0 admin
Device1(config-if-gigabitethernet0/1)#exit
|
#On Device1, configure initiating the eapol-start packet actively with an interval of 10s to perform the 802.1X device authentication.
Device1(config)#interface gigabitethernet 0/1
Device1(config-if-gigabitethernet0/1)#dot1x client auth-interval 10
Device1(config-if-gigabitethernet0/1)#exit
|
#On Device1, enable the access function of the trusted device.
Device1(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x client enable
Device2(config-if-gigabitethernet0/1)#exit
|
Step 7: On Device2, configure the 802.1X device authentication.
#On Device2, enable the 802.1X authentication.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x port-control enable
Device2(config-if-gigabitethernet0/1)#exit
|
#On Device2, enable the 802.1X device authentication.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x device-auth enable
Device2(config-if-gigabitethernet0/1)#exit
|
#On Device2, configure the keepalive period of the 802.1X device authentication as 120s.
Device2(config)#interface gigabitethernet 0/1
Device2(config-if-gigabitethernet0/1)#dot1x device-auth keepalive 120
Device2(config-if-gigabitethernet0/1)#exit
|
Step 8: Check the result.
#Before passing the access device authentication, PC cannot access network. After passing authentication, PC can access the network normally.
Device1#show dot1x client user
Interface : gi0/1
Status : Authorized
State Machine State : AUTHENTICATED
Keep Alive Interval : 120 sec (802.1X Server)
Device2#show dot1x user auth-type device
NO 1 : MAC_ADDRESS= 3883.45ef.7984 STATUS= Authorized USER_NAME= admin
VLAN= 2 INTERFACE= gi0/1 USER_TYPE= DOT1X
AUTH_STATE= AUTHENTICATED BACK_STATE= IDLE IP_ADDRESS= Unknown
Online time: 0 week 0 day 0 hour 0 minute 53 seconds
Total: 1 Authorized: 1 Unauthorized/guest/critical: 0/0/0 Unknown: 0