Guest

Support

Cisco 300 Series

Hierarchical Navigation

Defining 802.1X Port Authentication

The Port Authentication page enables configuration of 802.1X parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as host authentication, it is recommended that you change the port control to Force Authorized before making changes. When the configuration is complete, return the port control to its previous state.

NOTE     A port with 802.1x defined on it cannot become a member of a LAG.

To define 802.1X authentication:

  1. Click Security > 802.1X > Port Authentication.

    2. This page displays authentication settings for all ports.

  2. Select a port, and click Edit.
  3. Enter the parameters.
    • Interface—Select a port.
    • User Name—Displays the username.
    • Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized.
    • Administrative Port Control—Select the Administrative Port Authorization state. The options are:
      • Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device does not provide authentication services to the client through the interface.
      • Auto—Enables port-based authentication and authorization on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.
      • Force Authorized—Authorizes the interface without authentication.
    • RADIUS VLAN Assignment—Select to enable Dynamic VLAN assignment on the selected port. Dynamic VLAN assignment is possible only when the 802.1X mode is set to Multiple Session. (After authentication, the port joins the supplicant VLAN as an untagged port in that VLAN.)
    • Alternate VLAN Assignment—If RADIUS VLAN Assignment is enabled, you can select one of the following options:
    • Enabled—Select an alternative VLAN that is used if the RADUS server does not assign a VLAN.
    • Disabled—If the RADIUS server does not assign a VLAN, the authentication fails.
    • Guest VLAN—Select to indicate that the usage of a previously-defined Guest VLAN is enabled for the device. The options are:
      • Selected—Enables using a Guest VLAN for unauthorized ports. If a Guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the Guest VLAN ID field in the 802.1X Port Authentication page.
        After an authentication failure, and if Guest VLAN is activated globally on a given port, the guest VLAN is automatically assigned to the unauthorized ports as an Untagged VLAN.
      • Cleared—Disables Guest VLAN on the port.
    • Authentication Method—Select the authentication method for the port. The options are:
      • 802.1X Only—802.1X authentication is the only authentication method performed on the port.
      • MAC Only—Port is authenticated based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port.
      • 802.1X and MAC—Both 802.1X and MAC-based authentication are performed on the device. The 802.1X authentication takes precedence.

        • NOTE     For MAC authentication to succeed, the RADIUS server supplicant username and password must be the supplicant MAC address. The MAC address must be in lower case letters and entered without the ":" or "-" separators; for example: 0020aa00bbcc.

    • Periodic Reauthentication—Select to enable port re-authentication attempts after the specified Reauthentication Period.
    • Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated.
    • Reauthenticate Now—Select to enable immediate port re-authentication.
    • Authenticator State—Displays the defined port authorization state. The options are:
      • Initialize—In process of coming up.
      • Force-Authorized—Controlled port state is set to Force-Authorized (forward traffic).
      • Force-Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic).

        • NOTE     If the port is not in Force-Authorized or Force-Unauthorized, it is in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated.

    • Time Range—Enable a limit on the time that the specific port is authorized for use if 802.1x has been enabled (Port -Based authentication is checked).
    • Time Range Name—Select the profile that specifies the time range.
    • Quiet Period—Enter the number of seconds that the device remains in the quiet state following a failed authentication exchange.
    • Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request.
    • Max EAP Requests—Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted.
    • Supplicant Timeout—Enter the number of seconds that lapses before EAP requests are resent to the supplicant.
    • Server Timeout—Enter the number of seconds that lapses before the device resends a request to the authentication server.
    • Termination Cause—Displays the reason for which port authentication was terminated, if applicable.
  4. Click Apply. The port settings are written to the Running Configuration file.