Re: RE: dot1x authentication with vlan assignment

From: Ty (tycampbell@comcast.net)
Date: Thu Aug 12 2004 - 23:06:10 GMT-3

What Brian is speaking of is on the DOC CD...

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/sw8021x.htm#wp1025090

Enabling 802.1x Authentication
To enable 802.1x port-based authentication, you must enable AAA and specify
the authentication method list. A method list describes the sequence and
authentication methods to be queried to authenticate a user.

The software uses the first method listed to authenticate users; if that
method fails to respond, the software selects the next authentication method
in the method list. This process continues until there is successful
communication with a listed authentication method or until all defined
methods are exhausted. If authentication fails at any point in this cycle,
the authentication process stops, and no other authentication methods are
attempted.

To allow per-user ACLs and VLAN assignment, you must enable AAA
authorization to configure the switch for all network-related service
requests.

Beginning in privileged EXEC mode, follow these steps to configure 802.1x
port-based authentication. This procedure is required.

This example shows how to enable AAA and 802.1x on a port:

Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
HTH!

Ty

----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: <gladston@br.ibm.com>; <ccielab@groupstudy.com>
Sent: Thursday, August 12, 2004 6:10 PM
Subject: RE: RE: dot1x authentication with vlan assignment

> That's why I mentioned that "aaa authorization network default group
> radius" should be added. If everything was documented clearly and
> correctly we wouldn't need GroupStudy would we? ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> gladston@br.ibm.com
> Sent: Thursday, August 12, 2004 5:47 AM
> To: ccielab@groupstudy.com
> Subject: Re: RE: dot1x authentication with vlan assignment
>
> ============================
> quoted,
> Be sure to enable "aaa authorization network default group
> radius" to allow the VLAN to be dynamically assigned.
> ===========================
>
>
> Brian,
>
> I could not find a Cisco URL documenting it. Is it there?
>
> Thanks
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:42 GMT-3