Configuring IEEE 802.1x Port-Based Authentication

This chapter describes how to configure IEEE 802.1x port-based authentication. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the term switch refers to a standalone switch.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

How to Configure 802.1x Port-Based Authentication

Default 802.1x Authentication Configuration

Table 1. Default 802.1x Authentication Configuration

Feature

Default Setting

Switch 802.1x enable state

Disabled.

Per-port 802.1x enable state

Disabled (force-authorized).

The port sends and receives normal traffic without 802.1x-based authentication of the client.

AAA

Disabled.

RADIUS server

  • IP address

  • UDP authentication port

  • Default accounting port

  • Key

  • None specified.

  • 1645.

  • 1646.

  • None specified.

Host mode

Single-host mode.

Control direction

Bidirectional control.

Periodic re-authentication

Disabled.

Number of seconds between re-authentication attempts

3600 seconds.

Re-authentication number

2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state).

Quiet period

60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client).

Retransmission time

30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request).

Maximum retransmission number

2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).

Client timeout period

30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.)

Authentication server timeout period

30 seconds (when relaying a response from the client to the authentication server, the amount of time the switch waits for a reply before resending the response to the server.)

You can change this timeout period by using the dot1x timeout server-timeout interface configuration command.

Inactivity timeout

Disabled.

Guest VLAN

None specified.

Inaccessible authentication bypass

Disabled.

Restricted VLAN

None specified.

Authenticator (switch) mode

None specified.

MAC authentication bypass

Disabled.

Voice-aware security

Disabled.

802.1x Authentication Configuration Guidelines

802.1x Authentication

These are the 802.1x authentication configuration guidelines:

  • When 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.

  • If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.

    If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.

  • The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types:

    • Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1x authentication on a dynamic port, an error message appears, and 802.1x authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic, an error message appears, and the port mode is not changed.

    • EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel port, an error message appears, and 802.1x authentication is not enabled.

    • Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You can enable 802.1x authentication on a SPAN or RSPAN source port.

  • Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured.

  • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication.

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass

These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible authentication bypass:

  • When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

  • You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

  • After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process (authentication timer inactivity and authentication timer reauthentication interface configuration commands). The amount to decrease the settings depends on the connected 802.1x client type.

  • When configuring the inaccessible authentication bypass feature, follow these guidelines:

    • The feature is supported on 802.1x port in single-host mode and multihosts mode.

    • If the client is running Windows XP and the port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.

    • If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.

    • You can configure the inaccessible authentication bypass feature and the restricted VLAN on an 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, switch changes the port state to the critical authentication state and remains in the restricted VLAN.

    • If the CTS links are in Critical Authentication mode and the active switch reloads, the policy where SGT was configured on a device will not be available on the new active switch. This is because the internal bindings will not be synced to the standby switch in a 3750-X switch stack.

  • You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

  • When wireless guest clients obtains IP from foreign client VLAN instead of anchor client VLAN, you should use the ip dhcp required command under the WLAN configuration to force clients to issue a new DHCP request. This prevents the clients from getting an incorrect IP at anchor.

  • If the wired guest clients fail to get IP address after a Cisco WLC (foreign) reload, perform a shut/no shut on the ports used by the clients to reconnect them.

MAC Authentication Bypass

These are the MAC authentication bypass configuration guidelines:

  • Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x authentication guidelines.

  • If you disable MAC authentication bypass from a port after the port has been authorized with its MAC address, the port state is not affected.

  • If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port.

  • If the port is in the authorized state, the port remains in this state until re-authorization occurs.

  • You can configure a timeout period for hosts that are connected by MAC authentication bypass but are inactive. The range is 1to 65535 seconds.

Maximum Number of Allowed Devices Per Port

This is the maximum number of devices allowed on an 802.1x-enabled port:

  • In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.

  • In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP phone is allowed for the voice VLAN.

  • In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the voice VLAN.

Configuring 802.1x Violation Modes

You can configure an 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when:

  • a device connects to an 802.1x-enabled port

  • the maximum number of allowed about devices have been authenticated on the port

Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch:

SUMMARY STEPS

  1. configure terminal
  2. aaa new-model
  3. aaa authentication dot1x {default} method1
  4. interface interface-id
  5. switchport mode access
  6. authentication violation {shutdown | restrict | protect | replace}
  7. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

aaa new-model

Example:


Device(config)# aaa new-model

Enables AAA.

Step 3

aaa authentication dot1x {default} method1

Example:


Device(config)# aaa authentication dot1x default group radius

Creates an 802.1x authentication method list.

To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.

For method1 , enter the group radius keywords to use the list of all RADIUS servers for authentication.

Step 4

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/4interface gigabitethernet1/0/4

Specifies the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.

Step 5

switchport mode access

Example:


Device(config-if)# switchport mode access

Sets the port to access mode.

Step 6

authentication violation {shutdown | restrict | protect | replace}

Example:


Device(config-if)# authentication violation restrict

Configures the violation mode. The keywords have these meanings:

  • shutdown –Error disable the port.

  • restrict –Generate a syslog error.

  • protect –Drop packets from any new device that sends traffic to the port.

  • replace –Removes the current session and authenticates with the new host.

Step 7

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring 802.1x Authentication

To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

This is the 802.1x AAA process:

Before you begin

To configure 802.1x port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.

SUMMARY STEPS

  1. A user connects to a port on the switch.
  2. Authentication is performed.
  3. VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
  4. The switch sends a start message to an accounting server.
  5. Re-authentication is performed, as necessary.
  6. The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.
  7. The user disconnects from the port.
  8. The switch sends a stop message to the accounting server.

DETAILED STEPS

  Command or Action Purpose

Step 1

A user connects to a port on the switch.

Step 2

Authentication is performed.

Step 3

VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Step 4

The switch sends a start message to an accounting server.

Step 5

Re-authentication is performed, as necessary.

Step 6

The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.

Step 7

The user disconnects from the port.

Step 8

The switch sends a stop message to the accounting server.

Configuring 802.1x Port-Based Authentication

Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication:

SUMMARY STEPS

  1. configure terminal
  2. aaa new-model
  3. aaa authentication dot1x {default} method1
  4. dot1x system-auth-control
  5. aaa authorization network {default} group radius
  6. radius-server host ip-address
  7. radius-server key string
  8. interface interface-id
  9. switchport mode access
  10. authentication port-control auto
  11. dot1x pae authenticator
  12. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

aaa new-model

Example:


Device(config)# aaa new-model

Enables AAA.

Step 3

aaa authentication dot1x {default} method1

Example:


Device(config)# aaa authentication dot1x default group radius

Creates an 802.1x authentication method list.

To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.

For method1, enter the group radius keywords to use the list of all RADIUS servers for authentication.

Note

 

Though other keywords are visible in the command-line help string, only the group radius keywords are supported.

Step 4

dot1x system-auth-control

Example:


Device(config)# dot1x system-auth-control

Enables 802.1x authentication globally on the switch.

Step 5

aaa authorization network {default} group radius

Example:


Device(config)# aaa authorization network default group radius

(Optional) Configures the switch to use user-RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment.

Step 6

radius-server host ip-address

Example:


Device(config)# radius-server host 124.2.2.12

(Optional) Specifies the IP address of the RADIUS server.

Step 7

radius-server key string

Example:


Device(config)# radius-server key abc1234

(Optional) Specifies the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server.

Step 8

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/2interface gigabitethernet1/0/2

Specifies the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.

Step 9

switchport mode access

Example:


Device(config-if)# switchport mode access

(Optional) Sets the port to access mode only if you configured the RADIUS server in Step 6 and Step 7.

Step 10

authentication port-control auto

Example:


Device(config-if)# authentication port-control auto

Enables 802.1x authentication on the port.

Step 11

dot1x pae authenticator

Example:


Device(config-if)# dot1x pae authenticator

Sets the interface Port Access Entity to act only as an authenticator and ignore messages meant for a supplicant.

Step 12

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring the Switch-to-RADIUS-Server Communication

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout , the radius-server retransmit , and the radius-server key global configuration commands.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

Before you begin

You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. radius-server host {hostname | ip-address} auth-port port-number key string
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

radius-server host {hostname | ip-address} auth-port port-number key string

Example:


Device(config)# radius-server host 125.5.5.43 auth-port 1645 key rad123

Configures the RADIUS server parameters.

For hostname | ip-address , specify the server name or IP address of the remote RADIUS server.

For auth-port port-number , specify the UDP destination port for authentication requests. The default is 1645. The range is 0 to 65536.

For key string , specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

Note

 

Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step 4

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Configuring the Host Mode

Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the authentication port-control interface configuration command set to auto . Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to which multiple hosts are indirectly attached, and enter interface configuration mode.

Step 3

authentication host-mode [multi-auth | multi-domain | multi-host | single-host]

Example:


Device(config-if)# authentication host-mode multi-host

Allows multiple hosts (clients) on an 802.1x-authorized port.

The keywords have these meanings:

  • multi-auth –Allow multiple authenticated clients on both the voice VLAN and data VLAN.

    Note

     

    The multi-auth keyword is only available with the authentication host-mode command.

  • multi-host –Allow multiple hosts on an 802.1x-authorized port after a single host has been authenticated.

  • multi-domain –Allow both a host and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an IEEE 802.1x-authorized port.

    Note

     

    You must configure the voice VLAN for the IP phone when the host mode is set to multi-domain .

Make sure that the authentication port-control interface configuration command is set to auto for the specified interface.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring Periodic Re-Authentication

You can enable periodic 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600.

Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication periodic
  4. authentication timer {{[inactivity | reauthenticate | restart | unauthorized]} {value}}
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication periodic

Example:


Device(config-if)# authentication periodic

Enables periodic re-authentication of the client, which is disabled by default.

Note

 

The default value is 3600 seconds. To change the value of the reauthentication timer or to have the switch use a RADIUS-provided session timeout, enter the authentication timer reauthenticate command.

Step 4

authentication timer {{[inactivity | reauthenticate | restart | unauthorized]} {value}}

Example:


Device(config-if)# authentication timer reauthenticate 180

Sets the number of seconds between re-authentication attempts.

The authentication timer keywords have these meanings:

  • inactivity —Interval in seconds after which if there is no activity from the client then it is unauthorized

  • reauthenticate —Time in seconds after which an automatic re-authentication attempt is initiated

  • restart value —Interval in seconds after which an attempt is made to authenticate an unauthorized port

  • unauthorized value —Interval in seconds after which an unauthorized session will get deleted

This command affects the behavior of the switch only if periodic re-authentication is enabled.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Changing the Quiet Period

When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The authentication timer restart interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a number smaller than the default.

Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication timer restart seconds
  4. end
  5. show authentication sessions interface interface-id
  6. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication timer restart seconds

Example:


Device(config-if)# authentication timer restart 30

Sets the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client.

The range is 1 to 65535 seconds; the default is 60.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Step 5

show authentication sessions interface interface-id

Example:


Device# show authentication sessions interface gigabitethernet 0/1interface gigabitethernet2/0/1

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Changing the Switch-to-Client Retransmission Time

The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.


Note


You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.


Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication timer reauthenticate seconds
  4. end
  5. show authentication sessions interface interface-id
  6. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication timer reauthenticate seconds

Example:


Device(config-if)# authentication timer reauthenticate 60

Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.

The range is 1 to 65535 seconds; the default is 5.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Step 5

show authentication sessions interface interface-id

Example:


Device# show authentication sessions interface gigabitethernet 0/1interface gigabitethernet2/0/1

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Setting the Switch-to-Client Frame-Retransmission Number

In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.


Note


You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.


Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. dot1x max-reauth-req count
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

dot1x max-reauth-req count

Example:


Device(config-if)# dot1x max-reauth-req 5

Sets the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Setting the Re-Authentication Number

You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state.


Note


You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.


Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. switchport mode access
  4. dot1x max-req count
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device# interface gigabitethernet 0/1interface gigabitethernet2/0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

switchport mode access

Example:


Device(config-if)# switchport mode access

Sets the port to access mode only if you previously configured the RADIUS server.

Step 4

dot1x max-req count

Example:


Device(config-if)# dot1x max-req 4

Sets the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10; the default is 2.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring 802.1x Accounting

Enabling AAA system accounting with 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active 802.1x sessions are closed.

Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, this system message appears:


Accounting message %s for session %s failed to receive Accounting Response.

When the stop message is not sent successfully, this message appears:


00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding.


Note


You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.


Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. aaa accounting dot1x default start-stop group radius
  4. aaa accounting system default start-stop group radius
  5. end
  6. show running-config
  7. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/3interface gigabitethernet1/0/3

Specifies the port to be configured, and enter interface configuration mode.

Step 3

aaa accounting dot1x default start-stop group radius

Example:


Device(config-if)# aaa accounting dot1x default start-stop group radius

Enables 802.1x accounting using the list of all RADIUS servers.

Step 4

aaa accounting system default start-stop group radius

Example:


Device(config-if)# aaa accounting system default start-stop group radius

(Optional) Enables system accounting (using the list of all RADIUS servers) and generates system accounting reload event messages when the switch reloads.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEc mode.

Step 6

show running-config

Example:


Device# show running-config

Verifies your entries.

Step 7

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring a Guest VLAN

When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1x-capable but that fail authentication are not granted network access. The switch supports guest VLANs in single-host or multiple-hosts mode.

Beginning in privileged EXEC mode, follow these steps to configure a guest VLAN. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication event no-response action authorize vlan vlan-id
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/2

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication event no-response action authorize vlan vlan-id

Example:


Device(config-if)# authentication event no-response action authorize vlan 2

Specifies an active VLAN as an 802.1x guest VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring a Restricted VLAN

When you configure a restricted VLAN on a switch stack, clients that are IEEE 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode.

Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication port-control auto
  4. authentication event fail action authorize vlan vlan-id
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/2

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication port-control auto

Example:


Device(config-if)# authentication port-control auto

Enables 802.1x authentication on the port.

Step 4

authentication event fail action authorize vlan vlan-id

Example:


Device(config-if)# authentication event fail action authorize vlan 2

Specifies an active VLAN as an 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring Number of Authentication Attempts on a Restricted VLAN

You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.

Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication port-control auto
  4. authentication event fail action authorize vlan vlan-id
  5. authentication event retry retry count
  6. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/3

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication port-control auto

Example:


Device(config-if)# authentication port-control auto

Enables 802.1x authentication on the port.

Step 4

authentication event fail action authorize vlan vlan-id

Example:


Device(config-if)# authentication event fail action authorize vlan 8

Specifies an active VLAN as an 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.

Step 5

authentication event retry retry count

Example:


Device(config-if)# authentication event retry 2

Specifies a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3.

Step 6

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN

Beginning in privileged EXEC mode, follow these steps to configure critical voice VLAN on a port and enable the inaccessible authentication bypass feature.

SUMMARY STEPS

  1. configure terminal
  2. aaa new-model
  3. radius-server dead-criteria{time seconds } [tries number]
  4. radius-serverdeadtimeminutes
  5. radius-server host ip-address address[acct-port udp-port][auth-port udp-port] [testusername name[idle-time time] [ignore-acct-port][ignore auth-port]] [key string]
  6. dot1x critical {eapol | recovery delay milliseconds}
  7. interface interface-id
  8. authentication event server dead action {authorize | reinitialize} vlan vlan-id]
  9. switchport voice vlan vlan-id
  10. authentication event server dead action authorize voice
  11. show authentication interface interface-id
  12. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

aaa new-model

Example:


Device(config)# aaa new-model

Enables AAA.

Step 3

radius-server dead-criteria{time seconds } [tries number]

Example:


Device(config)# radius-server dead-criteria time 20 tries 10

Sets the conditions that determine when a RADIUS server is considered un-available or down (dead).

  • time— 1 to 120 seconds. The switch dynamically determines a default seconds value between 10 and 60.

  • number—1 to 100 tries. The switch dynamically determines a default triesnumber between 10 and 100.

Step 4

radius-serverdeadtimeminutes

Example:


Device(config)# radius-server deadtime 60

(Optional) Sets the number of minutes during which a RADIUS server is not sent requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes.

Step 5

radius-server host ip-address address[acct-port udp-port][auth-port udp-port] [testusername name[idle-time time] [ignore-acct-port][ignore auth-port]] [key string]

Example:


Device(config)# radius-server host 10.0.0.10 acct-port 1550 auth-port 
1560 test username user1 idle-time 30 key abc1234

(Optional) Configure the RADIUS server parameters by using these keywords:

  • acct-portudp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536. The default is 1646.

  • auth-portudp-port—Specify the UDP port for the RADIUS authentication server. The range for the UDP port number is from 0 to 65536. The default is 1645.

    Note

     

    You should configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values.

  • test usernamename—Enable automated testing of the RADIUS server status, and specify the username to be used.

  • idle-time time—Set the interval of time in minutes after which the switch sends test packets to the server. The range is from 1 to 35791 minutes. The default is 60 minutes (1 hour).

  • ignore-acct-port—Disable testing on the RADIUS-server accounting port.

  • ignore-auth-port—Disable testing on the RADIUS-server authentication port.

  • For keystring, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

    Note

     

    Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

You can also configure the authentication and encryption key by using theradius-server key {0string | 7string | string} global configuration command.

Step 6

dot1x critical {eapol | recovery delay milliseconds}

Example:


Device(config)# dot1x critical eapol
(config)# dot1x critical recovery delay 2000

(Optional) Configure the parameters for inaccessible authentication bypass:

  • eapol—Specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port.

  • recovery delaymilliseconds—Set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The range is from 1 to 10000 milliseconds. The default is 1000 milliseconds (a port can be re-initialized every second).

Step 7

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1

Specify the port to be configured, and enter interface configuration mode.

Step 8

authentication event server dead action {authorize | reinitialize} vlan vlan-id]

Example:


Device(config-if)# authentication event server dead action 
reinitialicze vlan 20

Use these keywords to move hosts on the port if the RADIUS server is unreachable:

  • authorize—Move any new hosts trying to authenticate to the user-specified critical VLAN.

  • reinitialize—Move all authorized hosts on the port to the user-specified critical VLAN.

Step 9

switchport voice vlan vlan-id

Example:


Device(config-if)# switchport voice vlan  

Specifies the voice VLAN for the port. The voice VLAN cannot be the same as the critical data VLAN configured in Step 6.

Step 10

authentication event server dead action authorize voice

Example:


Device(config-if)#  authentication event server dead action 
authorize voice

Configures critical voice VLAN to move data traffic on the port to the voice VLAN if the RADIUS server is unreachable.

Step 11

show authentication interface interface-id

Example:


Device(config-if)#  do show authentication interface gigabit 1/0/1

(Optional) Verify your entries.

Step 12

copy running-config startup-config

Example:


Device(config-if)#  do copy running-config startup-config

(Optional) Verify your entries.

Example

To return to the RADIUS server default settings, use the no radius-server dead-criteria, the no radius-server deadtime, and the no radius-server host global configuration commands. To disable inaccessible authentication bypass, use the no authentication event server dead action interface configuration command. To disable critical voice VLAN, use the no authentication event server dead action authorize voice interface configuration command.

Example of Configuring Inaccessible Authentication Bypass

This example shows how to configure the inaccessible authentication bypass feature:


Device(config)# radius-server dead-criteria time 30 tries 20
Device(config)# radius-server deadtime 60
Device(config)# radius-server host 10.0.0.10 acct-port 1550 auth-port 1560 test username user1 idle-time 30 key abc1234
Device(config)# dot1x critical eapol
Device(config)# dot1x critical recovery delay 2000
Device(config)# interface gigabitethernet 0/1
Device(config-if)# dot1x critical
Device(config-if)# dot1x critical recovery action reinitialize
Device(config-if)# dot1x critical vlan 20
Device(config-if)# end

Configuring 802.1x Authentication with WoL

Beginning in privileged EXEC mode, follow these steps to enable 802.1x authentication with WoL. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication control-direction {both | in}
  4. end
  5. show authentication sessions interface interface-id
  6. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet2/0/3

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication control-direction {both | in}

Example:


Device(config-if)# authentication control-direction both

Enables 802.1x authentication with WoL on the port, and use these keywords to configure the port as bidirectional or unidirectional.

  • both —Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional.

  • in —Sets the port as unidirectional. The port can send packets to the host but cannot receive packets from the host.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Step 5

show authentication sessions interface interface-id

Example:


Device# show authentication sessions interface gigabitethernet2/0/3

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring MAC Authentication Bypass

Beginning in privileged EXEC mode, follow these steps to enable MAC authentication bypass. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. authentication port-control auto
  4. mab [eap]
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

authentication port-control auto

Example:


Device(config-if)# authentication port-control auto

Enables 802.1x authentication on the port.

Step 4

mab [eap]

Example:


Device(config-if)# mab

Enables MAC authentication bypass.

(Optional) Use the eap keyword to configure the switch to use EAP for authorization.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Formatting a MAC Authentication Bypass Username and Password

Use the optional mab request format command to format the MAB username and password in a style accepted by the authentication server. The username and password are usually the MAC address of the client. Some authentication server configurations require the password to be different from the username.

Beginning in privileged EXEC mode, follow these steps to format MAC authentication bypass username and passwords.

SUMMARY STEPS

  1. configure terminal
  2. mab request format attribute 1 groupsize {1 | 2 | 4 |12} [separator {- | : | .} {lowercase | uppercase}]
  3. mab request format attribute2 {0 | 7} text
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

mab request format attribute 1 groupsize {1 | 2 | 4 |12} [separator {- | : | .} {lowercase | uppercase}]

Example:


Device(config)# mab request format attribute 1 groupsize 12

Specifies the format of the MAC address in the User-Name attribute of MAB-generated Access-Request packets.

1—Sets the username format of the 12 hex digits of the MAC address.

group size—The number of hex nibbles to concatenate before insertion of a separator. A valid groupsize must be either 1, 2, 4, or 12.

separator—The character that separates the hex nibbles according to group size. A valid separator must be either a hyphen, colon, or period. No separator is used for a group size of 12.

{lowercase | uppercase}—Specifies if nonnumeric hex nibbles should be in lowercase or uppercase.

Step 3

mab request format attribute2 {0 | 7} text

Example:


Device(config)# mab request format attribute 2 7 A02f44E18B12

2—Specifies a custom (nondefault) value for the User-Password attribute in MAB-generated Access-Request packets.

0—Specifies a cleartext password to follow.

7—Specifies an encrypted password to follow.

text—Specifies the password to be used in the User-Password attribute.

Note

 

When you send configuration information in e-mail, remove type 7 password information. The show tech-support command removes this information from its output by default.

Step 4

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Configuring Limiting Login for Users

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa authentication login default local
  5. aaa authentication rejected n in m ban x
  6. end
  7. show aaa local user blocked
  8. clear aaa local user blocked username username

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables the authentication, authorization, and accounting (AAA) access control model.

Step 4

aaa authentication login default local

Example:

Device(config)# aaa authentication login default local

Sets the authentication, authorization, and accounting (AAA) authentication by using the default authentication methods.

Step 5

aaa authentication rejected n in m ban x

Example:

Device(config)# aaa authentication rejected 3 in 20 ban 300
Configures the time period for which an user is blocked, if the user fails to successfully login within the specified time and login attempts.
  • n —Specifies the number of times a user can try to login.

  • m —Specifies the number of seconds within which an user can try to login.

  • x —Specifies the time period an user is banned if the user fails to successfully login.

Step 6

end

Example:

Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 7

show aaa local user blocked

Example:

Device# show aaa local user blocked

Displays the list of local users who were blocked.

Step 8

clear aaa local user blocked username username

Example:

Device# clear aaa local user blocked username user1

Clears the information about the blocked local user.

Example

The following is sample output from the show aaa local user blocked command:

Device# show aaa local user blocked

       Local-user                  State

       user1                       Watched (till 11:34:42 IST Feb 5 2015)


Configuring VLAN ID-based MAC Authentication

Beginning in privileged EXEC mode, follow these steps:

SUMMARY STEPS

  1. configure terminal
  2. mab request format attribute 32 vlan access-vlan
  3. copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

mab request format attribute 32 vlan access-vlan

Example:


Device(config)# mab request format attribute 32 vlan access-vlan

Enables VLAN ID-based MAC authentication.

Step 3

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Configuring Open1x

Beginning in privileged EXEC mode, follow these steps to enable manual control of the port authorization state:

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. switchport mode access
  4. authentication control-direction {both | in}
  5. authentication fallback name
  6. authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
  7. authentication open
  8. authentication order [ dot1x | mab ] | {webauth}
  9. authentication periodic
  10. authentication port-control {auto | force-authorized | force-un authorized}
  11. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

switchport mode access

Example:


Device(config-if)# switchport mode access

Sets the port to access mode only if you configured the RADIUS server.

Step 4

authentication control-direction {both | in}

Example:


Device(config-if)# authentication control-direction both

(Optional) Configures the port control as unidirectional or bidirectional.

Step 5

authentication fallback name

Example:


Device(config-if)# authentication fallback profile1

(Optional) Configures a port to use web authentication as a fallback method for clients that do not support 802.1x authentication.

Step 6

authentication host-mode [multi-auth | multi-domain | multi-host | single-host]

Example:


Device(config-if)# authentication host-mode multi-auth

(Optional) Sets the authorization manager mode on a port.

Step 7

authentication open

Example:


Device(config-if)# authentication open

(Optional) Enables or disable open access on a port.

Step 8

authentication order [ dot1x | mab ] | {webauth}

Example:


Device(config-if)# authentication order dot1x webauth

(Optional) Sets the order of authentication methods used on a port.

Step 9

authentication periodic

Example:


Device(config-if)# authentication periodic

(Optional) Enables or disable reauthentication on a port.

Step 10

authentication port-control {auto | force-authorized | force-un authorized}

Example:


Device(config-if)# authentication port-control auto

(Optional) Enables manual control of the port authorization state.

Step 11

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Disabling 802.1x Authentication on the Port

You can disable 802.1x authentication on the port by using the no dot1x pae interface configuration command.

Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. switchport mode access
  4. no dot1x pae authenticator
  5. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/1

Specifies the port to be configured, and enter interface configuration mode.

Step 3

switchport mode access

Example:


Device(config-if)# switchport mode access

(Optional) Sets the port to access mode only if you configured the RADIUS server.

Step 4

no dot1x pae authenticator

Example:


Device(config-if)# no dot1x pae authenticator

Disables 802.1x authentication on the port.

Step 5

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Resetting the 802.1x Authentication Configuration to the Default Values

Beginning in privileged EXEC mode, follow these steps to reset the 802.1x authentication configuration to the default values. This procedure is optional.

SUMMARY STEPS

  1. configure terminal
  2. interface interface-id
  3. dot1x default
  4. end

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 2

interface interface-id

Example:


Device(config)# interface gigabitethernet 0/2

Enters interface configuration mode, and specify the port to be configured.

Step 3

dot1x default

Example:


Device(config-if)# dot1x default

Resets the 802.1x parameters to the default values.

Step 4

end

Example:


Device(config-if)# end

Returns to privileged EXEC mode.

Monitoring 802.1x Statistics and Status

Table 2. Privileged EXEC show Commands

Command

Purpose

show dot1x all statistics

Displays 802.1x statistics for all ports

show dot1x interface interface-id statistics

Displays 802.1x statistics for a specific port

show dot1x all [count | details | statistics | summary]

Displays the 802.1x administrative and operational status for a switch

show dot1x interface interface-id

Displays the 802.1x administrative and operational status for a specific port

Table 3. Global Configuration Commands

Command

Purpose

no dot1x logging verbose

Filters verbose 802.1x authentication messages (beginning with Cisco IOS Release 12.2(55)SE)

For detailed information about the fields in these displays, see the command reference for this release.

Additional References for IEEE 802.1x Port-Based Authentication

Related Documents

Related Topic Document Title

Configuring Identity Control policies and Identity Service templates for Session Aware networking.

Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-xe-3se-3850-book.html

Configuring RADIUS, TACACS+, Secure Shell, 802.1X and AAA.

Securing User Services Configuration Guide Library, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

http://www.cisco.com/en/US/docs/ios-xml/ios/security/config_library/xe-3se/3850/secuser-xe-3se-3850-library.html

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

MIBs

MIB MIBs Link

All the supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for 802.1x Port-Based Authentication

Release Feature Information

Cisco IOS Release 15.0(2)EXCisco IOS Release 15.2(5)E

This feature was introduced.

Supports the use of same authorization methods on all the Catalyst switches in a network.

Supports filtering verbose system messages from the authentication manager.