Users Guide
Authentication, Authorization, and Accounting 261
Configuration Example—MAB Client
This example shows how to configure a MAB client on interface Gi1/0/2 using
the IAS database for authentication.
1
Enter global configuration mode and create VLAN 3.
console#configure
console(config)#configure
console(config)#vlan 3
console(config-vlan3)#exit
2
Enable the authentication manager and globally enable 802.1x.
console(config)#authentication enable
console(config)#dot1x system-auth-control
3
Set IEEE 802.1x to use the local IAS user database.
console(config)#aaa authentication dot1x default ias
4
Configure the IAS database with the client MAC address as the user name
and password. The password MUST be entered in upper case or the
authentication will fail with an MD5 Validation Failure, as the MD5
password hashes would not match.
console(config)#aaa ias-user username F8B1562BA1D9
console(config-ias-user)#password F8B1562BA1D9
console(config-ias-user)#exit
5
Configure interface gi1/0/2 to use VLAN 3 in access mode.
console(config)#interface Gi1/0/2
console(config-if-Gi1/0/2)#switchport mode access
console(config-if-Gi1/0/2)#switchport access vlan 3
6
On the interface, configure the port to use Single-Host authentication
mode and enable MAB. The authentication manager is configured to only
use MAB and the priority is set to MAB.
console(config-if-Gi1/0/2)#authentication host-mode single-
host
console(config-if-Gi1/0/2)#mab
console(config-if-Gi1/0/2)#authentication order mab
console(config-if-Gi1/0/2)#authentication priority mab
console(config-if-Gi1/0/2)#exit
If it is possible that an 802.1x aware client may be connected, it is advisable to
configure a re-authentication timer on the port using the authentication
timer reauthenticate command.
The following command shows the
802.1x configuration on the interface: