Home » Cisco Manuals » Hubs & Switches » Cisco 2950G 24 » Manual Viewer

Cisco 2950G 24 Software Configuration Guide - Page 222

Enabling 802.1X Authentication

UPC - 746320687711

Add to My Manuals
Save this manual to your list of manuals

Page 222 highlights

Configuring 802.1X Authentication Chapter 8 Configuring 802.1X Port-Based Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication. This procedure is required. Step 1 Step 2 Step 3 Command configure terminal aaa new-model aaa authentication dot1x {default} method1 [method2...] Step 4 interface interface-id Step 5 dot1x port-control auto Step 6 end Step 7 show dot1x Step 8 copy running-config startup-config Purpose Enter global configuration mode. Enable AAA. Create an 802.1X authentication method list. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. Enter at least one of these keywords: • group radius-Use the list of all RADIUS servers for authentication. • none-Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client. Enter interface configuration mode, and specify the interface connected to the client that is to be enabled for 802.1X authentication. Enable 802.1X authentication on the interface. For feature interaction information with trunk, dynamic, dynamic-access, EtherChannel, secure, and SPAN ports, see the "802.1X Configuration Guidelines" section on page 8-7. Return to privileged EXEC mode. Verify your entries. Check the Status column in the 802.1X Port Summary section of the display. An enabled status means the port-control value is set either to auto or to force-unauthorized. (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command. To disable 802.1X authentication, use the dot1x port-control force-authorized or the no dot1x port-control interface configuration command. Catalyst 2950 Desktop Switch Software Configuration Guide 8-8 78-14982-01

Section	Page
Catalyst2950Desktop Switch Software Configuration Guide	1
Contents	3
Preface	25
Audience	25
Purpose	25
Organization	26
Conventions	28
Related Publications	29
Obtaining Documentation	29
World Wide Web	29
Documentation CD-ROM	30
Ordering Documentation	30
Documentation Feedback	30
Obtaining Technical Assistance	30
Cisco.com	31
Technical Assistance Center	31
Cisco TAC Website	31
Cisco TAC Escalation Center	32
Overview	33
Features	33
Management Options	39
Management Interface Options	39
Advantages of Using CMS and Clustering Switches	39
Network Configuration Examples	40
Design Concepts for Using the Switch	40
Small to Medium-Sized Network Configuration	43
Collapsed Backbone and Switch Cluster Configuration	45
Large Campus Configuration	46
Hotel Network Configuration	48
Multidwelling Network Using Catalyst 2950 Switches	50
Long-Distance, High-Bandwidth Transport Configuration	52
Where to Go Next	53
Using the Command-Line Interface	55
IOS Command Modes	55
Getting Help	57
Specifying Ports in Interface Configuration Mode	58
Abbreviating Commands	59
Using no and default Forms of Commands	59
Understanding CLI Messages	59
Using Command History	60
Changing the Command History Buffer Size	60
Recalling Commands	60
Disabling the Command History Feature	61
Using Editing Features	61
Enabling and Disabling Editing Features	61
Editing Commands through Keystrokes	62
Editing Command Lines that Wrap	63
Searching and Filtering Output of show and more Commands	64
Accessing the CLI	64
Accessing the CLI from a Browser	65
Getting Started with CMS	67
Features	68
Front Panel View	70
Cluster Tree	72
Front-Panel Images	73
Redundant Power System LED	74
Port Modes and LEDs	74
VLAN Membership Modes	75
Topology View	76
Topology Icons	78
Device and Link Labels	79
Colors in the Topology View	80
Topology Display Options	81
Menus and Toolbar	81
Menu Bar	81
Toolbar	86
Front Panel View Popup Menus	87
Device Popup Menu	87
Port Popup Menu	87
Topology View Popup Menus	88
Link Popup Menu	88
Device Popup Menus	89
Interaction Modes	91
Guide Mode	91
Expert Mode	91
Wizards	92
Tool Tips	92
Online Help	92
CMS Window Components	94
Host Name List	94
Tabs, Lists, and Tables	95
Filter Editor	95
Icons Used in Windows	95
Buttons	96
Accessing CMS	96
Access Modes in CMS	97
HTTP Access to CMS	98
Verifying Your Changes	98
Change Notification	98
Error Checking	98
Saving Your Configuration	99
Restoring Your Configuration	99
CMS Preferences	99
Using Different Versions of CMS	100
Where to Go Next	100
Assigning the Switch IP Address and Default Gateway	101
Understanding the Boot Process	101
Assigning Switch Information	102
Default Switch Information	103
Understanding DHCP-Based Autoconfiguration	103
DHCP Client Request Process	104
Configuring the DHCP Server	105
Configuring the TFTP Server	105
Configuring the DNS	106
Configuring the Relay Device	106
Obtaining Configuration Files	107
Example Configuration	108
Manually Assigning IP Information	110
Checking and Saving the Running Configuration	110
Configuring IE2100 CNS Agents	113
Understanding IE2100Series Configuration Registrar Software	113
CNS Configuration Service	114
CNS Event Service	115
NameSpace Mapper	115
What You Should Know About ConfigID, DeviceID, and Host Name	115
ConfigID	115
DeviceID	116
Host Name and DeviceID	116
Using Host Name, DeviceID, and ConfigID	116
Understanding CNS Embedded Agents	117
Initial Configuration	117
Incremental (Partial) Configuration	118
Synchronized Configuration	118
Configuring CNS Embedded Agents	118
Enabling Automated CNS Configuration	118
Enabling the CNS Event Agent	120
Enabling the CNS Configuration Agent	121
Enabling an Initial Configuration	121
Enabling a Partial Configuration	124
Displaying CNS Configuration	125
Clustering Switches	127
Understanding Switch Clusters	128
Command Switch Characteristics	129
Standby Command Switch Characteristics	129
Candidate Switch and Member Switch Characteristics	130
Planning a Switch Cluster	131
Automatic Discovery of Cluster Candidates and Members	131
Discovery through CDP Hops	132
Discovery through Non-CDP-Capable and Noncluster-Capable Devices	133
Discovery through the Same Management VLAN	134
Discovery through Different Management VLANs	135
Discovery of Newly Installed Switches	136
HSRP and Standby Command Switches	138
Virtual IP Addresses	139
Other Considerations for Cluster Standby Groups	139
Automatic Recovery of Cluster Configuration	141
IP Addresses	141
Host Names	142
Passwords	142
SNMP Community Strings	142
TACACS+ and RADIUS	143
Access Modes in CMS	143
Management VLAN	144
LRE Profiles	144
Availability of Switch-Specific Features in Switch Clusters	145
Creating a Switch Cluster	145
Enabling a Command Switch	145
Adding Member Switches	146
Creating a Cluster Standby Group	148
Verifying a Switch Cluster	150
Using the CLI to Manage Switch Clusters	151
Catalyst1900 and Catalyst2820 CLI Considerations	151
Using SNMP to Manage Switch Clusters	152
Administering the Switch	153
Preventing Unauthorized Access to Your Switch	153
Protecting Access to Privileged EXEC Commands	154
Default Password and Privilege Level Configuration	154
Setting or Changing a Static Enable Password	155
Protecting Enable and Enable Secret Passwords with Encryption	156
Disabling Password Recovery	157
Setting a Telnet Password for a Terminal Line	158
Configuring Username and Password Pairs	159
Configuring Multiple Privilege Levels	160
Setting the Privilege Level for a Command	160
Changing the Default Privilege Level for Lines	161
Logging into and Exiting a Privilege Level	162
Controlling Switch Access with TACACS+	162
Understanding TACACS+	162
TACACS+ Operation	164
Configuring TACACS+	164
Default TACACS+ Configuration	165
Identifying the TACACS+ Server Host and Setting the Authentication Key	165
Configuring TACACS+ Login Authentication	166
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	168
Starting TACACS+ Accounting	169
Displaying the TACACS+ Configuration	169
Controlling Switch Access with RADIUS	170
Understanding RADIUS	170
RADIUS Operation	171
Configuring RADIUS	172
Default RADIUS Configuration	172
Identifying the RADIUS Server Host	172
Configuring RADIUS Login Authentication	175
Defining AAA Server Groups	177
Configuring RADIUS Authorization for User Privileged Access and Network Services	179
Starting RADIUS Accounting	180
Configuring Settings for All RADIUS Servers	181
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	181
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	182
Displaying the RADIUS Configuration	183
Configuring the Switch for Local Authentication and Authorization	184
Configuring the Switch for Secure Shell	185
Understanding SSH	185
Configuring SSH	185
Managing the System Time and Date	186
Understanding the System Clock	186
Understanding Network Time Protocol	186
Configuring NTP	188
Default NTP Configuration	189
Configuring NTP Authentication	189
Configuring NTP Associations	190
Configuring NTP Broadcast Service	191
Configuring NTP Access Restrictions	192
Configuring the Source IP Address for NTP Packets	194
Displaying the NTP Configuration	195
Configuring Time and Date Manually	195
Setting the System Clock	196
Displaying the Time and Date Configuration	196
Configuring the Time Zone	197
Configuring Summer Time (Daylight Saving Time)	198
Configuring a System Name and Prompt	200
Default System Name and Prompt Configuration	200
Configuring a System Name	200
Configuring a System Prompt	201
Understanding DNS	201
Default DNS Configuration	202
Setting Up DNS	202
Displaying the DNS Configuration	203
Creating a Banner	203
Default Banner Configuration	203
Configuring a Message-of-the-Day Login Banner	204
Configuring a Login Banner	205
Managing the MAC Address Table	206
Building the Address Table	206
MAC Addresses and VLANs	207
Default MAC Address Table Configuration	207
Changing the Address Aging Time	207
Removing Dynamic Address Entries	208
Configuring MAC Address Notification Traps	208
Adding and Removing Static Address Entries	210
Adding and Removing Secure Addresses	211
Displaying Address Table Entries	212
Managing the ARP Table	213
Switch Software Releases	213
Configuring 802.1X Port-Based Authentication	215
Understanding 802.1X Port-Based Authentication	215
Device Roles	216
Authentication Initiation and Message Exchange	217
Ports in Authorized and Unauthorized States	218
Supported Topologies	219
Configuring 802.1X Authentication	219
Default 802.1X Configuration	220
802.1X Configuration Guidelines	221
Enabling 802.1X Authentication	222
Configuring the Switch-to-RADIUS-Server Communication	223
Enabling Periodic Re-Authentication	224
Manually Re-Authenticating a Client Connected to a Port	225
Changing the Quiet Period	225
Changing the Switch-to-Client Retransmission Time	226
Setting the Switch-to-Client Frame-Retransmission Number	227
Enabling Multiple Hosts	227
Resetting the 802.1X Configuration to the Default Values	228
Displaying 802.1X Statistics and Status	228
Configuring the Switch Interfaces	229
Understanding Interface Types	229
Access Ports	230
Trunk Ports	230
Port-Based VLANs	231
EtherChannel Port Groups	231
Connecting Interfaces	231
Using the Interface Command	232
Procedures for Configuring Interfaces	232
Configuring a Range of Interfaces	234
Configuring and Using Interface-Range Macros	236
Configuring Switch Interfaces	237
Default Ethernet Interface Configuration	238
SFP Configuration	238
Configuring Interface Speed and Duplex Mode	239
Configuration Guidelines	240
Setting the Interface Speed and Duplex Parameters	241
Configuring Media Types for Gigabit Interfaces	242
Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports	242
Adding a Description for an Interface	244
Monitoring and Maintaining the Interfaces	244
Monitoring Interface and Controller Status	244
Clearing and Resetting Interfaces and Counters	247
Shutting Down and Restarting the Interface	247
Configuring LRE	249
Ports on the 2950 LRE	249
LRE Links and LRE Profiles	250
LRE Profiles	250
LRE Sequences	252
CPE Ethernet Links	253
Configuring LRE Ports	253
Environmental Guidelines for LRE Links	254
Guidelines for Using LRE Profiles	255
CPE Ethernet Link Guidelines	255
Considerations for Connected Cisco 575 LRE CPEs	255
Considerations for Connected Cisco 585 LRE CPEs	256
Assigning a Global Profile to All LRE Ports	256
Assigning a Profile to a Specific LRE Port	257
Assigning a Global Sequence to All LRE Ports	257
Assigning a Sequence to a Specific LRE Port	258
Using Rate Selection to Automatically Assign Profiles	258
Precedence	259
Profile Locking	259
Link Qualification and SNR Margins	260
LRE Link Persistence	262
LRE Link Monitor	262
Upgrading LRE Switch Firmware	263
Configuring for an LRE Upgrade	263
Performing an LRE Upgrade	264
Global Configuration of LRE Upgrades	265
Controller Configuration of LRE Upgrades	265
LRE Upgrade Behavior Details	266
LRE Upgrade Example	266
Configuring STP	269
Understanding Spanning-Tree Features	269
STP Overview	270
Supported Spanning-Tree Instances	270
Bridge Protocol Data Units	270
Election of the Root Switch	271
Bridge ID, Switch Priority, and Extended System ID	272
Spanning-Tree Timers	272
Creating the Spanning-Tree Topology	273
Spanning-Tree Interface States	273
Blocking State	275
Listening State	275
Learning State	275
Forwarding State	275
Disabled State	276
Spanning-Tree Address Management	276
STP and IEEE 802.1Q Trunks	276
Spanning Tree and Redundant Connectivity	276
Accelerated Aging to Retain Connectivity	277
Configuring Spanning-Tree Features	277
Default STP Configuration	278
STP Configuration Guidelines	278
Disabling STP	280
Configuring the Root Switch	280
Configuring a Secondary Root Switch	282
Configuring the Port Priority	283
Configuring the Path Cost	284
Configuring the Switch Priority of a VLAN	286
Configuring the Hello Time	287
Configuring the Forwarding-Delay Time for a VLAN	287
Configuring the Maximum-Aging Time for a VLAN	288
Configuring STP for Use in a Cascaded Stack	288
Displaying the Spanning-Tree Status	289
Configuring RSTP and MSTP	291
Understanding RSTP	292
Port Roles and the Active Topology	292
Rapid Convergence	293
Synchronization of Port Roles	294
Bridge Protocol Data Unit Format and Processing	295
Processing Superior BPDU Information	296
Processing Inferior BPDU Information	296
Topology Changes	296
Understanding MSTP	297
Multiple Spanning-Tree Regions	297
IST, CIST, and CST	298
Operations Within an MST Region	298
Operations Between MST Regions	299
Hop Count	300
Boundary Ports	300
Interoperability with 802.1D STP	301
Configuring RSTP and MSTP Features	301
Default RSTP and MSTP Configuration	302
RSTP and MSTP Configuration Guidelines	302
Specifying the MST Region Configuration and Enabling MSTP	303
Configuring the Root Switch	304
Configuring a Secondary Root Switch	306
Configuring the Port Priority	307
Configuring the Path Cost	308
Configuring the Switch Priority	309
Configuring the Hello Time	309
Configuring the Forwarding-Delay Time	310
Configuring the Maximum-Aging Time	311
Configuring the Maximum-Hop Count	311
Specifying the Link Type to Ensure Rapid Transitions	312
Restarting the Protocol Migration Process	312
Displaying the MST Configuration and Status	313
Configuring Optional Spanning-Tree Features	315
Understanding Optional Spanning-Tree Features	315
Understanding Port Fast	316
Understanding BPDU Guard	317
Understanding BPDU Filtering	317
Understanding UplinkFast	318
Understanding Cross-Stack UplinkFast	319
How CSUF Works	320
Events That Cause Fast Convergence	321
Limitations	322
Connecting the Stack Ports	322
Understanding BackboneFast	324
Understanding Root Guard	326
Understanding Loop Guard	327
Configuring Optional Spanning-Tree Features	327
Default Optional Spanning-Tree Configuration	328
Enabling Port Fast	328
Enabling BPDU Guard	329
Enabling BPDU Filtering	330
Enabling UplinkFast for Use with Redundant Links	331
Enabling Cross-Stack UplinkFast	332
Enabling BackboneFast	333
Enabling Root Guard	333
Enabling Loop Guard	334
Displaying the Spanning-Tree Status	335
Configuring VLANs	337
Understanding VLANs	337
Supported VLANs	338
VLAN Port Membership Modes	339
Configuring Normal-Range VLANs	340
Token Ring VLANs	341
Normal-Range VLAN Configuration Guidelines	341
VLAN Configuration Mode Options	342
VLAN Configuration in config-vlan Mode	342
VLAN Configuration in VLAN Configuration Mode	342
Saving VLAN Configuration	343
Default Ethernet VLAN Configuration	344
Creating or Modifying an Ethernet VLAN	344
Deleting a VLAN	346
Assigning Static-Access Ports to a VLAN	347
Configuring Extended-Range VLANs	348
Default VLAN Configuration	348
Extended-Range VLAN Configuration Guidelines	348
Creating an Extended-Range VLAN	349
Displaying VLANs	350
Configuring VLAN Trunks	351
Trunking Overview	351
802.1Q Configuration Considerations	352
Default Layer 2 Ethernet Interface VLAN Configuration	353
Configuring an Ethernet Interface as a Trunk Port	353
Interaction with Other Features	353
Configuring a Trunk Port	354
Defining the Allowed VLANs on a Trunk	355
Changing the Pruning-Eligible List	356
Configuring the Native VLAN for Untagged Traffic	356
Load Sharing Using STP	357
Load Sharing Using STP Port Priorities	357
Load Sharing Using STP Path Cost	359
Configuring VMPS	360
Understanding VMPS	361
Dynamic Port VLAN Membership	361
VMPS Database Configuration File	362
Default VMPS Configuration	363
VMPS Configuration Guidelines	364
Configuring the VMPS Client	364
Entering the IP Address of the VMPS	364
Configuring Dynamic Access Ports on VMPS Clients	365
Reconfirming VLAN Memberships	366
Changing the Reconfirmation Interval	366
Changing the Retry Count	366
Monitoring the VMPS	367
Troubleshooting Dynamic Port VLAN Membership	367
VMPS Configuration Example	368
Configuring VTP	369
Understanding VTP	369
The VTP Domain	370
VTP Modes	371
VTP Advertisements	371
VTP Version 2	372
VTP Pruning	372
Configuring VTP	374
Default VTP Configuration	374
VTP Configuration Options	375
VTP Configuration in Global Configuration Modes	375
VTP Configuration in VLAN Configuration Mode	375
VTP Configuration Guidelines	376
Domain Names	376
Passwords	376
Upgrading from Previous Software Releases	376
VTP Version	377
Configuration Requirements	377
Configuring a VTP Server	377
Configuring a VTP Client	379
Disabling VTP (VTP Transparent Mode)	380
Enabling VTP Version 2	381
Enabling VTP Pruning	382
Adding a VTP Client Switch to a VTP Domain	383
Monitoring VTP	384
Configuring Voice VLAN	385
Understanding Voice VLAN	385
Configuring Voice VLAN	386
Default Voice VLAN Configuration	386
Voice VLAN Configuration Guidelines	387
Configuring a Port to Connect to a Cisco7960 IP Phone	387
Configuring Ports to Carry Voice Traffic in 802.1Q Frames	388
Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames	388
Overriding the CoS Priority of Incoming Data Frames	389
Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames	390
Displaying Voice VLAN	390
Configuring IGMP Snooping and MVR	391
Understanding IGMP Snooping	391
Joining a Multicast Group	392
Leaving a Multicast Group	394
Immediate-Leave Processing	394
Configuring IGMP Snooping	395
Default IGMP Snooping Configuration	395
Enabling or Disabling IGMP Snooping	395
Setting the Snooping Method	396

Match case Limit results 1 per page

8-8

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 8

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Authentication

Enabling 802.1X Authentication

To enable 802.1X port-based authentication, you must enable AAA and specify the authentication

method list. A method list describes the sequence and authentication methods to be queried to

authenticate a user.

The software uses the first method listed to authenticate users; if that method fails to respond, the

software selects the next authentication method in the method list. This process continues until there is

successful communication with a listed authentication method or until all defined methods are

exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other

authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication.

This procedure is required.

To disable AAA, use the

no aaa new-model

global configuration command. To disable 802.1X AAA

authentication, use the

no aaa authentication dot1x

{

default

list-name

}

method1

[

method2

...] global

configuration command. To disable 802.1X authentication, use the

dot1x port-control

force-authorized

or the

no dot1x port-control

interface configuration command.

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

aaa new-model

Enable AAA.

Step 3

aaa authentication dot1x

{

default

}

method1

[

method2

...]

Create an 802.1X authentication method list.

To create a default list that is used when a named list is

not

specified in

the

authentication

command, use the

default

keyword followed by the

methods that are to be used in default situations. The default method list

is automatically applied to all interfaces.

Enter at least one of these keywords:

•

group radius

—Use the list of all RADIUS servers for authentication.

•

none

—Use no authentication. The client is automatically

authenticated by the switch without using the information supplied by

the client.

Step 4

interface

interface-id

Enter interface configuration mode, and specify the interface connected to

the client that is to be enabled for 802.1X authentication.

Step 5

dot1x port-control auto

Enable 802.1X authentication on the interface.

For feature interaction information with trunk, dynamic, dynamic-access,

EtherChannel, secure, and SPAN ports, see the

“802.1X Configuration

Guidelines” section on page 8-7

Step 6

end

Return to privileged EXEC mode.

Step 7

show dot1x

Verify your entries.

Check the Status column in the 802.1X Port Summary section of the

display. An

enabled

status means the port-control value is set either to

auto

or to

force-unauthorized

Step 8

copy running-config startup-config

(Optional) Save your entries in the configuration file.