802.1x

We can use 802.1x to perform user authentication to the access layer switch. The authentication requires users to provide the username and password. The client communicates with the switch ( Authenticator ) by EAP over LAN. Switch will send the Radius message with EAP Attribute to the Authentication Server ( Radius Server). If the authentication process is successful. The switch will give client an access to the network. Otherwise, it will put client to the restricted access VLAN or even deny all access to the network

Configuration Example

Enable AAA

aaa new-model
aaa authentication dot1x default group radius

dot1x system-auth-control


!
!

radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key test

Enable port 802.1x authentication 

interface FastEthernet0/1

 duplex auto

 speed auto

 dot1x port-control auto

**Note**

There are 3 options in dot1x port control 

SW(config-if)#dot1x port-control ?

  auto                PortState will be set to AUTO

  force-authorized    PortState set to Authorized

  force-unauthorized  PortState will be set to UnAuthorized

We can change the attribute of authentication process in the interface subcommand. Use '?' for help tuning configuration