General setup procedure for 802.1X access control
Do these steps before you configure 802.1X operation.
- Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, Hewlett Packard Enterprise recommends that you use a local username and password pair at least until your other security measures are in place.)
-
Enable
include-credentials
. Theport-access
option is available only ifinclude-credentials
is enabled. See MAC authentication.For switches covered in this guide, the local operator password configured with the password command is not accepted as an 802.1X authenticator credential. The port-access command is used to configure the operator username and password that are used as 802.1X credentials for network access to the switch. 802.1X network access is not allowed unless a password has been configured using the
password port-access
command.password port-access [user-name <name>]<password>
Configures the operator username and password used to access the network through 802.1X authentication.
user-name <name>
operator username (text string) used only for local authentication of 802.1X clients. This value is different from the local operator username configured with the
password
command for management access.<password>
operator password (text string) used only for local authentication of 802.1X clients. This value is different from the local operator password configured with the
password
command for management access.
The password port-access command
switch(config)# password port-access user-name Jim secret3
You can save the port-access password for 802.1X authentication in the configuration file by using theinclude-credentials
command. For more information, see Saving security credentials in a config file. -
Determine the switch ports that you want to configure as authenticators and/or supplicants, and disable LACP on these ports.
To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the
show port-access config
command.Output for the show port-access config command
switch (config)# show port-access config Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Supplicant Authenticator Web-Auth Mac-Auth LMA-Auth Ctrl Mixed Speed Port Enabled Enabled Enabled Enabled Enabled Dir Mode VSA MBV ---- --------- ------------ -------- -------- -------- ----- ---- ---- --- C1 No Yes No No No In No Yes Yes C2 No Yes No No No Both Yes Yes Yes C3 No Yes No No No Both No No Yes C4 No Yes No No Yes Both No Yes Yes ...
- Determine whether to use user-based access control, see 802.1X user-based access control or port-based access control, see 802.1X port-based access control.
- Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode.
- For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)
- Unless you are using only the switch’s local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.