Collections
Deploying a Cisco Switch
802.1X Deployment (Opt.)

802.1X Deployment (Opt.)

This article walks through configuring 802.1X on a Cisco switch (specifically a 2960 series switch). The goal of this article is not to provide an in-depth walk-through of 802.1X but rather outline what a minimal implementation would look like.

Configure AAA

Configuring 802.1X requires the use of AAA (Authentication, Authorization, Accounting). Use the following command to enable AAA globally on the switch.

Note! Once enabled the switch will now rely on AAA for authenticating technicians connecting to the switch. If not configured fully, you will lock yourself out. Ensure this section of the article is complete prior to disconnecting.

Switch (config)# aaa new-model

Now, tell the switch to use the local username database as its source for authentication.

Switch (config)# aaa authentication login default local

Next, tell the switch to login with an EXEC shell (Privilege EXEC Mode).

Switch (config)# aaa authorization exec default local

Lastly, if you weren’t using AAA for local authentication previously, ensure an enable secret is configured on the switch as our previous command: aaa authorization exec default local does not effect the console connection. Due to this we need a secret configured so we can escalate from User EXEC Mode to Privilege EXEC Mode when connecting via a console cable.

Switch (config)# enable secret [password]

Enable 802.1X

With local authentication of the switch handled, we can now setup 802.1X. One questions I immedately had when first configuring 802.1X was what effect would these commands have on an existing switch? Would enabling 802.1X cause all ports to require authentication? No, no impact on existing ports will be felt until the port is directly modified to use 802.1X (final step).

To start, enable dot1x globally.

Switch (config)# dot1x system-auth-control

Configure RADIUS Servers

Next, specify the RADIUS servers which will perform the authentication and authorization. Typically this is two servers for redundancy.

Switch (config)# radius server dot1x-auth1
Switch (config-radius-server)# address ipv4 10.0.0.16 auth-port 1812 acct-port 1813
Switch (config-radius-server)# key password

Switch (config)# radius server dot1x-auth2
Switch (config-radius-server)# address ipv4 10.0.0.17 auth-port 1812 acct-port 1813
Switch (config-radius-server)# key password

With the two RADIUS servers specified, create and add both servers into a RADIUS group.

Switch (config)# aaa group server radius dot1x-auth
Switch (config-sg-radius)# server name dot1x-auth1
Switch (config-sg-radius)# server name dot1x-auth2

Tell the switch that we intend to use our two RADIUS servers as listed under our RADIUS group for 802.1X authentication.

Switch (config)# aaa authentication dot1x default group dot1x-auth
Switch (config)# aaa authorization network default group dot1x-auth

Configure Port(s)

Lastly, configure a switchport to require authentication via 802.1X. Note, the commands shown below are the bare minimum for setting up 802.1X authentication. There is a lot more you can do including having a dedicated network for devices which cannot authenticate or having the VLAN dynamically assigned based upon the RADIUS response.

Switch (config)# interface FastEthernet0/23
Switch (config-if)# switchport mode access
Switch (config-if)# switchport access vlan 100
Switch (config-if)# authentication port-control auto
Switch (config-if)# dot1x pae authenticator

The switching portion of your 802.1X implemention is now complete.

Port Security (Opt.)Configuration Backup (Opt.)