Initially, two VLANs will be configured on the switch for support with IEEE 802.1x: a healthy VLAN and a quarantine VLAN.
CISCO Catalyst 3560 series switch
To configure VLAN assignment you need to perform these tasks:
•Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.
•Enable 802.1x. (The VLAN assignment feature is automatically enabled when you configure 802.1x on an access port).
•Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:
–[64] Tunnel-Type = VLAN
–[65] Tunnel-Medium-Type = 802
–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated user.
Configuring 802.1x Authentication
configure terminal
aaa new-model
aaa authentication dot1x {default} method1
dot1x system-auth-control
aaa authorization network {default} group radius
interface interface-id /////Specify the port connected to the client that is to be enabled for 802.1x authentication, and enter interface configuration mode. ////
dot1x port-control auto
end
show dot1x
copy running-config startup-config
Configuring the Switch-to-RADIUS-Server Communication
configure terminal
radius-server host {hostname | ip-address} auth-port port-number key string
end
show running-config
copy running-config startup-config
Configuring a Guest VLAN
When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.
configure terminal
interface interface-id
///Specify an active VLAN as an 802.1x guest VLAN. The range is 1 to 4094. ///
dot1x guest-vlan vlan-id
end
show dot1x interface interface-id
copy running-config startup-config
to enable VLAN 2 as an 802.1x guest VLAN:
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# dot1x guest-vlan 2
Configuring a Restricted VLAN.
When you configure a restricted VLAN on a switch, clients that are 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode.
Step 1: configure terminal
Step 2: interface interface-id
Step 3: switchport mode access
Step 4. dot1x port-control auto
Step 5: dot1x auth-fail vlan vlan-id
Step 6: end
Step 7: copy running-config startup-config