PDF(807.0 KB) View with Adobe Reader on a variety of devices
ePub(1.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(431.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:December 13, 2018
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configure 802.1x Supplicant Credentials on a Switch through the CLI
IEEE 802.1x is a standard which facilitates access control between a client and a server. Before services can be provided to a client by a Local Area Network (LAN) or switch, the client connected to the switch port has to be authenticated by the authentication server which runs Remote Authentication Dial-In User Service (RADIUS).
The 802.1x authentication restricts unauthorized clients from connecting to a LAN through publicly-accessible ports. The 802.1x authentication is a client-server model. In this model, network devices have the following specific roles:
Client or supplicant — A client or supplicant is a network device that requests access to the LAN. The client is connected to an authenticator.
Authenticator — An authenticator is a network device that provides network services and to which supplicant ports are connected. The following authentication methods are supported:
- 802.1x-based — Supported in all authentication modes. In 802.1x-based authentication, the authenticator extracts the Extensible Authentication Protocol (EAP) messages from the 802.1x messages or EAP over LAN (EAPoL) packets, and passes them to the authentication server, using the RADIUS protocol.
- MAC-based — Supported in all authentication modes. With Media Access Control (MAC)-based, the authenticator itself executes the EAP client part of the software on behalf of the clients seeking network access.
- Web-based — Supported only in multi-sessions modes. With web-based authentication, the authenticator itself executes the EAP client part of the software on behalf of the clients seeking network access.
Authentication server — An authentication server performs the actual authentication of the client. The authentication server for the device is a RADIUS authentication server with EAP extensions.
Note: A network device can be either a client or supplicant, authenticator, or both per port.
The image below displays a network that have configured the devices according to the specific roles. In this example, an SG350X switch is used.
However, you can also configure some ports on your switch as supplicants. Once the supplicant credentials are configured on a specific port on your switch, you can directly connect the devices that are not 802.1x-capable so the devices would be able to access the secured network. The image below shows a scenario of a network that has configured a switch as a supplicant.
Guidelines in configuring 802.1x:
Configure the RADIUS server. To learn how to configure the RADIUS server settings on your switch, click here.
Create a Virtual Local Area Network (VLAN). To create VLANs using the web-based utility of your switch, click here. For Command Line Interface (CLI)-based instructions, click here.
Configure Port to VLAN settings on your switch. To configure using the web-based utility, click here. To use the CLI, click here.
Configure the global 802.1x properties on the switch. For instructions on how to configure the global 802.1x properties through the web-based utility of the switch, click here. For CLI-based instructions, click here.
(Optional) Configure Time Range on the switch. To learn how to configure time range settings on your switch, click here. To use the CLI, click here.
Configure 802.1x supplicant credentials on the switch. To learn how to configure through the web-based utility, click here.The CLI-based instructions are provided in this article.
Configure 802.1x Port Authentication. To use the web-based utility of the switch, click here. To use the CLI, click here.
You can configure the switch as an 802.1x supplicant (client) on the wired network. An encrypted user name and password can be configured to allow the switch to authenticate using 802.1x.
On the networks that use IEEE 802.1x port-based network access control, a supplicant cannot gain access to the network until the 802.1x authenticator grants access. If your network uses 802.1x, you must configure 802.1x authentication information on the switch so that it can supply the information to the authenticator.
This article provides instructions on how to configure 802.1x supplicant credentials on your switch through the CLI.
Configure 802.1x Supplicant Credentials
Create 802.1x Supplicant Credentials
Step 1. Log in to the switch console. The default username and password is cisco/cisco. If you have configured a new username or password, enter the credentials instead.
Note: To learn how to access an SMB switch CLI through SSH or Telnet, click here.
Note: The commands may vary depending on the exact model of your switch. In this example, the SG350X switch is accessed through Telnet.
Step 2. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
Step 3. To define the name of an 802.1x credential structure and enter the dot1x credentials configuration mode, enter the following:
name — The credential structure name is up to 32 characters.
Note: The switch supports up to 24 credentials. In this example, cisco is used.
Step 4. (Optional) To remove the credential structure, enter the following:
Note: A used credential cannot be removed.
Step 5. To specify a username for an 802.1x credential structure, enter the following:
username—The user name is up to 32 characters.
Note: In this example, switchuser is the specified username.
Step 6. (Optional) To remove the username, enter the following:
Step 7. To specify a password for an 802.1x credential structure, enter either of the following:
encrypted password — The password is in encrypted format.
password — You can enter a plaintext password of up to 64 characters.
Note: In this example, the plaintext password C!$C0123456 is entered.
Step 8. (Optional) To remove the password, enter the following:
Step 9. (Optional) To add a description for the 802.1x credential structure, enter the following:
Note: In this example, the description used is sg350x-supplicant.
Step 10. (Optional) To remove the description, enter the following:
Step 11. Enter the end command to go back to the Privileged EXEC mode:
Step 12. (Optional) To display the configured 802.1x credentials, enter the following:
Step 13. (Optional) In the Privileged EXEC mode of the switch, save the configured settings to the startup configuration file by entering the following:
Step 14. (Optional) Press Y for Yes or N for No on your keyboard once the Overwrite file [startup-config]… prompt appears.
You should now have successfully configured an 802.1x credential on your switch through the CLI.
Configure an 802.1x Supplicant Interface
To apply the configured 802.1x supplicant credentials, you must configure 802.1x authentication information on the switch so that it can supply the information to the authenticator. Follow these steps to configure an 802.1x supplicant interface:
Step 1. From the Privileged EXEC mode of the switch, enter the Global Configuration mode by entering the following:
Step 2. In the Global Configuration mode, enter the Interface Configuration context by entering the following:
interface-id — Specifies an interface ID to be configured.
Note: When the supplicant is enabled on an interface, the interface becomes an unauthorized. In this example, interface ge1/0/19 is being configured.
Step 3. To enable the dot1x supplicant role for the interface, enter the following:
name — The name of the credential structure applied on the interface.
Note: In this example, the previously created credential name is used which is cisco.
Step 4. Enter the end command to go back to the Privileged EXEC mode:
Step 5. To display the 802.1x status for the configured interface, use the show dot1x command in Privileged EXEC mode:
interface-id — Specifies the Ethernet port.
Note: In this example, the 802.1x information for interface ge1/0/19 is displayed.
You should now have successfully configured an 802.1x supplicant on an interface on your switch through the CLI.