General setup procedure for 802.1X access control

Do these steps before you configure 802.1X operation:

  1. Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, Hewlett Packard Enterprise recommends that you use a local username and password pair at least until your other security measures are in place.)
    password <operator|manager|all> [user-name <name>] <password>

    Configures the operator username and password used to access the network through 802.1X authentication.

  2. Determine which ports on the switch you want to operate as authenticators and/or supplicants, and disable LACP on these ports.

    To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command.

    Output for the show port-access config command
    switch(config)# show port-access config
    Port Access Status Summary
     Port-access authenticator activated [No] : Yes
     Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
          Supplicant Authenticator Web Auth Mac Auth
     Port Enabled    Enabled       Enabled  Enabled
     ---- ---------- ------------- -------- --------
     1    Yes        No            No       No
     2    No         No            No       Yes
     3    No         Yes           No       No
     4    No         No            No       No
     5    No         No            No       No
  3. Determine whether to use client-based access control or port-based access control.
  4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) See 802.1X Open VLAN mode.
  5. For any port you want to operate as a supplicant, determine the user credentials. You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)
  6. Unless you are using only the switch’s local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. See the documentation provided with your RADIUS application.