As shown in Figure 1, a large number of user terminals in a company access the Internet through ge-1/1/1 of the PICA8 Switch (as the access device). To ensure network access security, the administrator employs 802.1X authentication on the Switch and AAA server, to control the network access rights of the user terminals. The Switch allows the user terminals to access resources on the Internet only when the authentication is successfully passed.
Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
Configuration on the AAA Server
- Configure the Eth0 IP address of the switch to establish a connection to the switch.
- Configure the username and password on the AAA server.
- Configure the shared key.
- Configure other RADIUS attributes for 802.1X authentication.
Configuration on the Switch
- Use Eth0 management port connects to the AAA server.
- Configure the 802.1X authentication server IP and shared key on the Switch.
- Enable 802.1X authentication on the Switch.
- Configure the host mode to multiple on interface ge-1/1/1.
Figure 1. Networking Diagram for Configuring 802.1X Authentication
Step1 Configure the access port to trunk mode and enable 802.1X authentication mode.
Step2 Configure IP address of AAA server and the shared key.
Step3 Configure the NAS IP address to the L3 VLAN interface IP which is connected to the RADIUS server.
This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the RADIUS server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.
Step4 Configure the host mode for NAC authentication interface.
Step5 Commit the configuration.
Step6 Verify the configuration.
a) Run the run show dot1x interface to check the 802.1X authentication configurations. The command output (802.1x = enable) shows that the 802.1X authentication has been enabled on the interface ge-1/1/1 and MAC address ae:11:01:39:1a:00 is successfully authenticated.
b) The user starts the 802.1X client software on the terminal, enters the username and password, and starts authentication.
c) If the user name and password are correct, there will be an authentication success message displayed. Then users can access the network through this port.