Support User Manuals

Cisco Systems 2960 Model Vehicle User Manual

Open as PDF

of 1004

10-67

Catalyst 2960 and 2960-S Switch Software Configuration Guide

OL-8603-09

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

This example shows how to configure a switch for a downloadable policy:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# aaa new-model

Switch(config)# aaa authorization network default group radius

Switch(config)# ip device tracking

Switch(config)# ip access-list extended default_acl

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

Switch(config)# radius-server vsa send authentication

Switch(config)# interface gigabitethernet2/0/1

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group default_acl in

Switch(config-if)# exit

Step 3

interface interface-id Enter interface configuration mode.

Step 4

ip access-group acl-id in Configure the default ACL on the port in the input direction.

Note The acl-id is an access list name or number.

Step 5

exit Returns to global configuration mode.

Step 6

aaa new-model Enables AAA.

Step 7

aaa authorization network default

group radius

Sets the authorization method to local. To remove the authorization

method, use the no aaa authorization network default group radius

command.

Step 8

ip device tracking Enables the IP device tracking table.

To disable the IP device tracking table, use the no ip device tracking

global configuration commands.

Step 9

ip device tracking probe [count |

interval | use-svi]

(Optional) Configures the IP device tracking table:

• count count—Sets the number of times that the switch sends the ARP

probe. The range is from 1 to 5. The default is 3.

• interval interval—Sets the number of seconds that the switch waits

for a response before resending the ARP probe. The range is from 30

to 300 seconds. The default is 30 seconds.

• use-svi—Uses the switch virtual interface (SVI) IP address as source

of ARP probes.

Step 10

radius-server vsa send authentication Configures the network access server to recognize and use vendor-specific

attributes.

Note The downloadable ACL must be operational.

Step 11

end Returns to privileged EXEC mode.

Step 12

show ip device tracking all Displays information about the entries in the IP device tracking table.

Step 13

copy running-config startup-config (Optional) Saves your entries in the configuration file.

Command Purpose

previous next