Administrator Guide
238 Authentication, Authorization, and Accounting
authenticated client is removed and the authentication process begins again
from the first method in the order. If 802.1X has a lower priority than the
authenticated method, then the client is not removed and the 802.1X frames
are ignored.
If administrator changes the priority of the methods, then all the users who
are authenticated using a lower-priority method are forced to reauthenticate.
If an authentication session is in progress and the administrator changes the
order of the authentication methods, then the configuration will take effect
for the next session onwards.
Configuration Example—802.1X and MAB
In this scenario, the authentication manager selects the first authentication
method, 802.1X. If authentication using 802.1X is successful, then the client
is allowed network access. If authentication using 802.1X errors out, then
authentication manager selects the next authentication method: MAB. If
authentication using MAB returns an error, then the port is unauthorized.
The authentication manager will start a timer to re-authenticate the client.
At the expiry of the timer, the authentication manager restarts authentication
by selecting the 802.1X method.
1
Enter global configuration mode and define the RADIUS server.
console#configure
console(config)#radius-server host 10.10.10.10
console(Config-radius)#name BigRadius
console(Config-radius)#primary
console(Config-radius)#usage 802.1x
console(Config-radius)#exit
2
Define the RADIUS server key.
console(config)#radius-server key thatsyoursecret-keepit-
keepit
3
Enable authentication and globally enable 802.1x client authentication via
RADIUS:
console(config)#authentication enable
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control
4
On the interface, enable MAC based authentication mode, enable MAB,
and set the order of authentication to 802.1X followed by MAC
authentication. Also enable periodic re-authentication.