Lab Setup
- Make the physical connections as per the scenario above and the IP addresses as noted below.
Lab Objectives
- The PC is connected or will be connected to SW1’s port F0/21 should get authenticated before they allowed access to the network. This authentication should use radius server which is located at 192.168.10.50 using the “Cisco” as the key.
- Configure F0/15 port of SW1 as a static access-port. Enable port-security on F0/15 and configure the static secure MAC address of New system. Configure restrict as protect. This MAC address will be bind in SW1.
Configuring SW1 for use of Radius Authentication
SW1#show dot1x
Sysauthcontrol =Disable
Dot1x Protocol Version =1
Dot1x Oper Controlled Directions =Both
Dot1x Admin Controlled Directions =Both
Note: By default dot1x authentication is disabled To Enable dot1x feature use the below command.
SW1(config)#dot1x system-auth-control
Sysauthcontrol =Enable
Dot1x Protocol Version =1
Dot1x Oper Controlled Directions =Both
Dot1x Admin Controlled Directions =Both
SW1(config)#aaa new-model
SW1(config)#aaa authentication login default none
SW1(config)#aaa authentication dot1x default group radius
SW1(config)#radius-server host 192.168.10.50 key Cisco
SW1(config)#int fa 0/21
SW1(config-if)#dot1x port-control auto
Note: When you apply above command you will get error as seen below:
Command rejected: Dynamic mode enabld on one or more ports.
Dot1x is supported only on Ethernet interfaces configured in Access,Routed or Private-Vlan Host Mode.
This error message is generated because the port is in dynamic mode and Dot1x is not available on ports that are in Dynamic mode. On some IOS releases it will reject the command. In order to fix this problem and satisfy the requirement of Dot1x configuration, port F0/21 must be configured in access mode as follows:
SW1(config)#int fa 0/21
SW1(config-if)#switchport mode access
SW1(config-if)#dot1x port-control auto
Note: No error message is displayed. The port authentication state can be controlled as follows:
Force-Authorized – It bypasses the authentication state and all traffic is allowed.
Force-Unauthorized – The port remains in unauthorized state regardless of clients attempt to get authenticated.
Auto – Enables 802.1x authentication, the switch identifies the client by the MAC address.
Verification
Sw1# show dot1x interface fastEthernet 0/21
Supplicant MAC
AuthSM State =N/A
Bendsm State =N/A
Portstatus =N/A
MaxReq =2
Hostmode =Single
Port Control =Auto
QuitePeriod =60 Second
Re-authentication =Disabled
ReAuthperiod =3600 Second
ServerTimeout =30 Second
SuppTimeout =30 Second
Txperiod =30 Second
Guest-Vlan =0
Configuring SW1 for Static MAC Port Security
SW1(Config)#interface FastEthernet0/15
SW1(Config-if)# switchport mode access
SW1(Config-if)# switchport port-security
SW1(Config-if)#switchport port-security violation protect
SW1(Config-if)# switchport port-security mac-address sticky
SW1(Config-if)#switchport port-security mac-address 0021.7089.4cba
Verification
SW1#show port-security int fa0/15
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000
Security Violation Count : 0