Below is a quick guide on 802.1x port-based authentication using a radius server for authentication.
– Firstly enable AAA
ALS1(config)#aaa new-model
– Configure the location of the Radius-server
ALS1(config)#radius-server host 172.16.1.1 key abc123
– Then configure what exactly needs authentication, along with how to authenticate it. In this case dot1x, using radius as the authentication method.
ALS1(config)#aaa authentication dot1x default group radius
– To globally enable dot1x (note this just “enables” the feature as such)
ALS1(config)#dot1x system-auth-control
– Following that, is configuring the access port, or group of access ports to use 802.1x to authenticate users against radius. Note, IOS may not show dot1x sub-commands if you haven’t configured the port as an access port.
ALS1(config-if)#int fa0/6
ALS1(config-if)#switchport mode access
ALS1(config-if)#dot1x port-control ?
auto PortState will be set to AUTO
force-authorized PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized
ALS1(config-if)#dot1x port-control auto
Auto
– Enables 802.1x port-based Authentication
Force-authorized
– Disables 802.1x on the port, and the port will auto transition to the authorized state.
Force-Unauthorized
– Causes the port to remain in the unauthorised state, effectively making the port useless.