defines a client/server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.
remembers
- DO NOT forget to add “aaa authentication login default none”, else you might lock the switch and forfeit any points related to that switch.
- Uses AAA with RADIUS for authentication
- everytime " aaa new-model" is type it will erase existing aaa config.
You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:
1. force-authorized: Disables 802.1X authentication and causes the port to transition to the authorized state without any authentication exchange required
2. force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate
3. auto: Enables 802.1X authentication and causes the port to begin in the unauthorized state
802.1X port-based authentication is supported in two topologies:
1. Point-to-point
2. Wireless LAN
Use the following commands to enable 802.1X authentication. Note that dot1x authentication requires RADIUS as the method.
global:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 10.10.10.10
radius-server key cisco
aaa authorization network default group radius
interface:
dot1x port-control auto
dot1x host-mode multihost (multiple devices can be authenticated on that single port)
dot1x auth-fail vlan 888
dot1x auth-fail max 2 (default:3)
dot1x guest-vlan 888
dot1x critical vlan 24 (if port authentication failed, and to ensure port comes up)
VIRTUALRACK for Network Engineers... This blog is all about networking technologies that drives the human network today... Welcome to the Human Network!!
No comments:
Post a Comment