Global Configuration in Switch

In order for 802.1x to work in your network switches, the switch should be configured with the following global configuration as follows:

#Defines a new AAA model in the switch

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common

#Turn on system auth control for dot1x

dot1x system-auth-control

#Radius parameters

radius-server cache expiry 1
radius-server host 192.168.10.60 auth-port 1812 acct-port 1813 key password
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication

In the above configuration, we defined a new aaa model using the RADIUS protocol. In addition to the above, the "radius-server host" command tells the switch the RADIUS server (our IAS) can be reached at the IP192.168.10.60 with udp port 1812 as the authentication port and udp port 1813 as the accounting port. It also tells us that the secret key is "password". This should be the same in your RADIUS server configuration when you define a new client.

Now, after the above is done, we will need to identify the ports on the switch that should be used for 802.1x authentication. In our example, we will use f0/3 for 802.1x port authentication.

The configuration for f0/3 as follows:

interface FastEthernet0/3
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 10
 dot1x max-reauth-req 1
 dot1x guest-vlan 20
 dot1x auth-fail vlan 50
 dot1x auth-fail max-attempts 1
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root

The command above basically puts interface FastEthernet0/3 into dot1x enabled mode. An authenticated user will be allowed into the trusted internal network VLAN 1. A guest will be placed into VLAN 20 while  user who has failed authentication will be placed into VLAN 50 without any network access.