Defining 802.1X Port Authentication
The Port Authentication page enables configuration of 802.1X parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as host authentication, it is recommended that you change the port control to Force Authorized before making changes. When the configuration is complete, return the port control to its previous state.
NOTE A port with 802.1x defined on it cannot become a member of a LAG.
To define 802.1X authentication:
- Click Security > 802.1X > Port Authentication. The Port Authentication page displays.
This page displays authentication settings for all ports.
- Select a port, and click Edit. The Edit Port Authentication page displays.
- Enter the parameters.
- Interface--Select a port.
- User Name--Displays the username of the port.
- Current Port Control--Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized.
- Administrative Port Control--Select the Administrative Port Authorization state. The options are:
- Force Unauthorized--Denies the interface access by moving the interface into the unauthorized state. The switch does not provide authentication services to the client through the interface.
- Auto--Enables port-based authentication and authorization on the switch. The interface moves between an authorized or unauthorized state based on the authentication exchange between the switch and the client.
- Force Authorized--Authorizes the interface without authentication.
- RADIUS VLAN Assignment--Select to enable Dynamic VLAN assignment on the selected port. Dynamic VLAN assignment is possible only when the 802.1X mode is set to multiple session. (After authentication, the port joins the supplicant VLAN as an untagged port in that VLAN.)
TIP For the Dynamic VLAN Assignment feature to work, the switch requires the following VLAN attributes to be sent by the RADIUS server (as defined in RFC 3580):
[64] Tunnel-Type = VLAN (type 13)
[65] Tunnel-Medium-Type = 802 (type 6)
[81] Tunnel-Private-Group-Id = VLAN ID
- Guest VLAN--Select to indicate that the usage of a previously-defined Guest VLAN is enabled for the switch. The options are:
- Selected--Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the Guest VLAN ID field in the 802.1X Port Authentication page.
After an authentication failure, and if Guest VLAN is activated globally on a given port, the guest VLAN is automatically assigned to the unauthorized ports as an Untagged VLAN.
- Cleared--Disables Guest VLAN on the port.
- Authentication Method--Select the authentication method for the port. The options are:
- 802.1X Only--802.1X authentication is the only authentication method performed on the port.
- MAC Only--Port is authenticated based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port.
- 802.1X and MAC--Both 802.1X and MAC-based authentication are performed on the switch. The 802.1X authentication takes precedence.
NOTE For MAC authentication to succeed, the RADIUS server supplicant username and password must be the supplicant MAC address. The MAC address must be in lower case letters and entered without the “:” or “-” separators; for example: 0020aa00bbcc.
- Periodic Reauthentication--Select to enable port re-authentication attempts after the specified Reauthentication Period.
- Reauthentication Period--Enter the number of seconds after which the selected port is reauthenticated.
- Reauthenticate Now--Select to enable immediate port re-authentication.
- Authenticator State--Displays the defined port authorization state. The options are:
- Force-Authorized--Controlled port state is set to Force-Authorized (forward traffic).
- Force-Unauthorized--Controlled port state is set to Force-Unauthorized (discard traffic).
NOTE If the port is not in Force-Authorized or Force-Unauthorized, it is in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated.
- Time Range--Enable a limit on the time that the specific port is authorized for use if 802.1x has been enabled (Port -Based authentication is checked).
- Time Range Name--Select the profile that specifies the time range.
- Quiet Period--Enter the number of seconds that the switch remains in the quiet state following a failed authentication exchange.
- Resending EAP--Enter the number of seconds that the switch waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request.
- Max EAP Requests--Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted.
- Supplicant Timeout--Enter the number of seconds that lapses before EAP requests are resent to the supplicant.
- Server Timeout--Enter the number of seconds that lapses before the switch resends a request to the authentication server.
- Termination Cause--Displays the reason for which the port authentication was terminated, if applicable.
- Click Apply. The port settings are defined, and the Running Configuration file is updated.