Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring 802.1X on SG300 Series Switches

Objective

802.1X is an IEEE standard that implements port-based authentication. If a port uses 802.1X, then any client that uses that port (referred to as the supplicant) must present correct credentials before being granted access to the network. A device that implements 802.1X (referred to as the authenticator) must be able to communicate with a RADIUS (Remote Authentication Dial-In User Service) server that is elsewhere on the network. This server contains a list of valid users that are allowed access to the network; any credentials sent by the authenticator (given to it by the supplicant) must match the ones held by the RADIUS server. If so, the server tells the authenticator to grant access to the user; otherwise, the authenticator will deny access.

The 802.1X standard is a good security measure in preventing unwanted users from gaining access to the network by plugging in to a physical port. Please note that in order for 802.1X to work, a RADIUS server must already be configured elsewhere on the network, and the authenticator must be able to communicate with it.

The objective of this document is to show you how to set up 802.1X on the SG300 Series Switches.

Applicable Devices

• SG300 Series Switches

Software Version

• v1.4.1.3

Setting Up 802.1X Authentication

Adding a RADIUS Server

Step 1. Log in to the web configuration utility and choose Security > RADIUS. The RADIUS page opens.

Step 2. In the RADIUS Accounting field, choose a radio button to select what type of accounting information the RADIUS server will be given. A RADIUS server can be given accounting information that keeps track of a user’s session time, what resources they use, and other things. The option selected here will not impact the performance of 802.1X.

The options are:

• Port Based Access Control – This option sends accounting information about port-based authenticated sessions to the RADIUS server.

• Management Access – This option sends accounting information about the switch’s management sessions to the RADIUS server.

• Both Port Based Access Control and Management Access – This option sends both types of accounting information to the RADIUS server.

• None – Do not send accounting information to the RADIUS server.

Step 3. In the Use Default Parameters area, configure the settings that will be used by default unless an added RADIUS server is configured with its own specific settings; each individual server entry you add to the switch can use either the defaults or separate unique settings. For this article, we will use the default settings defined in this section.

Configure the following settings:

• Retries – Enter the number of times the switch will try to contact a RADIUS server before moving to the next server. The default is 3.

• Timeout for Reply – Enter the number of seconds the switch will wait for a reply from the RADIUS server before taking further action (trying again or giving up). The default is 3.

• Dead Time – Enter the number of minutes that elapse before a non-responsive RADIUS server is passed over for service requests. The default is 0; this value means that the server is not bypassed.

• Key String – Enter the secret key used for authenticating between the switch and the RADIUS server. If you have an encrypted key, enter it with the Encrypted radio button; otherwise, enter the plaintext key with the Plaintext radio button.

• Source IPv4/IPv6 Interface – Use these drop-down lists to choose which IPv4/IPv6 source interface will be used when communicating with the RADIUS server. The default is Auto, which will use the default source IP address defined on the outgoing interface.

Step 4. Click Apply. The default settings will be applied.

Step 5. The RADIUS Table will show the RADIUS server entries currently configured on the switch. To add a new entry, click the Add… button. The Add RADIUS Server window will open.

Step 6. In the Server Definition field, choose whether to contact the RADIUS server By IP address or By name (hostname). If you selected By IP address, select to use either IPv6 (Version 6) or IPv4 (Version 4). If you selected Version 6, use the IPv6 Address Type and Link Local Interface to specify the IPv6 address that will be used.

Step 7. In the Server IP Address/Name field, enter the IP address or the hostname of the RADIUS server.

Step 8. In the Priority field, enter the priority that you want to assign to this server; the switch will attempt to contact the server with the highest priority and continue down the list until it encounters a responsive server. The range is 0 – 65535, with 0 being the highest priority.

Step 9. Select the Use Default radio button in the Key String, Timeout for Reply, Retries, and Dead Time fields to use the settings previously configured in the RADIUS page. You can also select the User Defined radio buttons to configure settings that are different from the defaults; if you do this, these settings will only be used for this specific RADIUS server.

Step 10. In the Authentication Port field, specify the port that will be used for authentication communication with the RADIUS server. It is recommended that this be left on the default port, 1812.

Step 11. In the Accounting Port field, specify the port that will be used for accounting communication with the RADIUS server. It is recommended that this be left on the default port, 1813.

Step 12. In the Usage Type field, select what the RADIUS server will be used for. When configuring 802.1X, select either the 802.1x or All radio buttons to use the RADIUS server for 802.1X port authentication.

Step 13. Click Apply. The server will be added to the RADIUS Table. To enable port-based 802.1X authentication, please continue to the next section.

Enabling Port-Based Authentication

Step 1. In the web configuration utility, go to Security > 802.1X/MAC/Web Authentication > Properties. The Properties page opens.

Step 2. In the Port-Based Authentication field, check the Enable checkbox to enable port-based authentication. This is enabled by default.

Step 3. In the Authentication Method field, choose a radio button to determine how port-based authentication will work.

The options are:

• RADIUS, None – The switch will attempt to contact the RADIUS server(s) defined on the RADIUS page. If no response is received from the server(s), then no authentication is performed and the session is permitted. If the server is responsive, and the credentials are incorrect, then the session is denied.

• RADIUS – The switch will attempt to contact the RADIUS server(s) defined on the RADIUS page. If no response is received from the server(s), the session is denied. For the most secure 802.1X implementation, this option is recommended.

• None – No authentication is performed. All sessions will be permitted. This option will not implement 802.1X.

Step 4. Click Apply.

Step 5. Navigate to Security > 802.1X/MAC/Web Authentication > Port Authentication. The Port Authentication page opens.

Step 6. Select the port that you want to configure by selecting its radio button in the Port Authentication Table and clicking the Edit… button. The Edit Port Authentication window opens.

Step 7. In the Administrative Port Control field, choose a radio button to determine how the port will authorize sessions. The Current Port Control field displays the current authorization state of the selected port.

The options are:

• Force Unauthorized – Moves the interface into an unauthorized state. The device does not provide authentication to any clients connected to this port, and denies access.

• Auto – Enables port-based authentication for the selected port. Moves the interface between authorized and unauthorized depending on the outcome of the authentication procedure. Choose this option to implement 802.1X.

• Force Authorized – Moves the interface into an authorized state. The device will provide access to any client that connects to this port without authentication.

Step 8. Check the Enable checkbox in the 802.1X Based Authentication field to enable 802.1X authentication for the selected port.

Step 9. Click Apply. The port should now be fully configured for 802.1X port-based authentication, and is ready to start authenticating any clients that connect to it. Use the Interface field to select a different port to configure without going back to the Port Authentication page.

Step 10. If you want to quickly copy a port’s settings to another port or range of ports, click the radio button of the port you want to copy in the Port Authentication Table and click the Copy Settings… button. The Copy Settings window opens.

Step 11. In the text field, enter the port or ports (separated by commas) you want to copy the settings to. You can also specify a range of ports. Then, click Apply to copy the settings.

Version history
Revision #:
1 of 1
Last update:
‎08-16-2016 01:10 PM