PDF(873.4 KB) View with Adobe Reader on a variety of devices
ePub(739.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(2.7 MB) View on Kindle device or Kindle app on multiple devices
Updated:December 13, 2018
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configuring 802.1X on SG300 Series Switches
802.1X is an IEEE standard that implements port-based authentication. If a port uses 802.1X, then any client that
uses that port (referred to as the supplicant) must present correct credentials before being granted access to
the network. A device that implements 802.1X (referred to as the authenticator) must be able to communicate with
a RADIUS (Remote Authentication Dial-In User Service) server that is elsewhere on the network. This server
contains a list of valid users that are allowed access to the network; any credentials sent by the authenticator
(given to it by the supplicant) must match the ones held by the RADIUS server. If so, the server tells the
authenticator to grant access to the user; otherwise, the authenticator will deny access.
The 802.1X standard is a good security measure in preventing unwanted users from gaining access to the network by
plugging in to a physical port. Please note that in order for 802.1X to work, a RADIUS server must already be
configured elsewhere on the network, and the authenticator must be able to communicate with it.
The objective of this document is to show you how to set up 802.1X on the SG300 Series Switches.
• SG300 Series Switches
Setting Up 802.1X Authentication
Adding a RADIUS Server
Step 1. Log in to the web configuration utility and choose Security > RADIUS. The RADIUS page
Step 2. In the RADIUS Accounting field, choose a radio button to select what type of accounting
information the RADIUS server will be given. A RADIUS server can be given accounting information that keeps
track of a user’s session time, what resources they use, and other things. The option selected here will not
impact the performance of 802.1X.
The options are:
• Port Based Access Control – This option sends accounting information about port-based authenticated sessions to
the RADIUS server.
• Management Access – This option sends accounting information about the switch’s management sessions to the
• Both Port Based Access Control and Management Access – This option sends both types of accounting information
to the RADIUS server.
• None – Do not send accounting information to the RADIUS server.
Step 3. In the Use Default Parameters area, configure the settings that will be used by default unless
an added RADIUS server is configured with its own specific settings; each individual server entry you add to the
switch can use either the defaults or separate unique settings. For this article, we will use the default
settings defined in this section.
Configure the following settings:
• Retries – Enter the number of times the switch will try to contact a RADIUS server before moving to the next
server. The default is 3.
• Timeout for Reply – Enter the number of seconds the switch will wait for a reply from the RADIUS server before
taking further action (trying again or giving up). The default is 3.
• Dead Time – Enter the number of minutes that elapse before a non-responsive RADIUS server is passed over for
service requests. The default is 0; this value means that the server is not bypassed.
• Key String – Enter the secret key used for authenticating between the switch and the RADIUS server. If you have
an encrypted key, enter it with the Encrypted radio button; otherwise, enter the plaintext key with the
Plaintext radio button.
• Source IPv4/IPv6 Interface – Use these drop-down lists to choose which IPv4/IPv6 source interface will be used
when communicating with the RADIUS server. The default is Auto, which will use the default source IP address
defined on the outgoing interface.
Step 4. Click Apply. The default settings will be applied.
Step 5. The RADIUS Table will show the RADIUS server entries currently configured on the switch. To add
a new entry, click the Add… button. The Add RADIUS Server window will open.
Step 6. In the Server Definition field, choose whether to contact the RADIUS server By IP address
or By name (hostname). If you selected By IP address, select to use either IPv6 (Version 6)
or IPv4 (Version 4). If you selected Version 6, use the IPv6 Address Type and Link
Local Interface to specify the IPv6 address that will be used.
Step 7. In the Server IP Address/Name field, enter the IP address or the hostname of the RADIUS server.
Step 8. In the Priority field, enter the priority that you want to assign to this server; the switch
will attempt to contact the server with the highest priority and continue down the list until it encounters a
responsive server. The range is 0 – 65535, with 0 being the highest priority.
Step 9. Select the Use Default radio button in the Key String, Timeout for Reply,
Retries, and Dead Time fields to use the settings previously configured in the RADIUS
page. You can also select the User Defined radio buttons to configure settings that are different from
the defaults; if you do this, these settings will only be used for this specific RADIUS server.
Step 10. In the Authentication Port field, specify the port that will be used for authentication
communication with the RADIUS server. It is recommended that this be left on the default port, 1812.
Step 11. In the Accounting Port field, specify the port that will be used for accounting communication
with the RADIUS server. It is recommended that this be left on the default port, 1813.
Step 12. In the Usage Type field, select what the RADIUS server will be used for. When configuring
802.1X, select either the 802.1x or All radio buttons to use the RADIUS server for 802.1X port
Step 13. Click Apply. The server will be added to the RADIUS Table. To enable port-based 802.1X
authentication, please continue to the next section.
Enabling Port-Based Authentication
Step 1. In the web configuration utility, go to Security > 802.1X/MAC/Web Authentication >
Properties. The Properties page opens.
Step 2. In the Port-Based Authentication field, check the Enable checkbox to enable port-based
authentication. This is enabled by default.
Step 3. In the Authentication Method field, choose a radio button to determine how port-based
authentication will work.
The options are:
• RADIUS, None – The switch will attempt to contact the RADIUS server(s) defined on the RADIUS page. If
no response is received from the server(s), then no authentication is performed and the session is permitted. If
the server is responsive, and the credentials are incorrect, then the session is denied.
• RADIUS – The switch will attempt to contact the RADIUS server(s) defined on the RADIUS page. If no
response is received from the server(s), the session is denied. For the most secure 802.1X implementation, this
option is recommended.
• None – No authentication is performed. All sessions will be permitted. This option will not implement 802.1X.
Step 4. Click Apply.
Step 5. Navigate to Security > 802.1X/MAC/Web Authentication > Port Authentication. The Port
Authentication page opens.
Step 6. Select the port that you want to configure by selecting its radio button in the Port Authentication
Table and clicking the Edit… button. The Edit Port Authentication window opens.
Step 7. In the Administrative Port Control field, choose a radio button to determine how the port will
authorize sessions. The Current Port Control field displays the current authorization state of the
The options are:
• Force Unauthorized – Moves the interface into an unauthorized state. The device does not provide authentication
to any clients connected to this port, and denies access.
• Auto – Enables port-based authentication for the selected port. Moves the interface between authorized and
unauthorized depending on the outcome of the authentication procedure. Choose this option to implement 802.1X.
• Force Authorized – Moves the interface into an authorized state. The device will provide access to any client
that connects to this port without authentication.
Step 8. Check the Enable checkbox in the 802.1X Based Authentication field to enable 802.1X
authentication for the selected port.
Step 9. Click Apply. The port should now be fully configured for 802.1X port-based authentication, and is
ready to start authenticating any clients that connect to it. Use the Interface field to select a
different port to configure without going back to the Port Authentication page.
Step 10. If you want to quickly copy a port’s settings to another port or range of ports, click the radio button
of the port you want to copy in the Port Authentication Table and click the Copy Settings…
button. The Copy Settings window opens.
Step 11. In the text field, enter the port or ports (separated by commas) you want to copy the settings to. You
can also specify a range of ports. Then, click Apply to copy the settings.