40-90
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
This example shows how to configure a switch as a supplicant:
Switch# configure terminal
Switch(config)# cisp enable
Switch(config)# dot1x credentials test
Switch(config)# username suppswitch
Switch(config)#
password myswitch
Switch(config)# dot1x supplicant force-multicast
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# dot1x pae supplicant
Switch(config-if)# dot1x credentials test
Switch(config-if)# end
The following macro is applied to the authenticator switch port after the supplicant switch is
deauthenticated due to a link-down or a reauthenticating event:
no switchport nonegotiate
switchport mode access
no switchport trunk native vlan $AVID
no spanning-tree portfast trunk
switchport access vlan $AVID
spanning-tree bpduguard enable
spanning-tree portfast
Configuring NEAT with ASP
You can also use an AutoSmart Ports user-defined macro rather than a switch VSA to configure the
authenticator switch. For more information, see the Chapter 13, “Configuring Auto Smartports Macros.”
Configuration Guidelines
• If BPDU Guard was enabled prior to supplicant switch authentication, it is re-enabled after the
supplicant switch unauthenticates.
• You can configure NEAT ports and non-NEAT ports with the same configuration. When the
supplicant switch authenticates, the port mode is changed from access to trunk based on the switch
vendor-specific attributes (device-traffic-class=switch).
• To enable NEAT, you must configure the vendor-specific attributes (VSA) attribute as switch.
Configuring the trunk with an 802.1X configuration and enabling CISP globally will not enable
NEAT.
• VSA device-traffic-class=switch assists the authenticator switch in identifying the supplicant as a
switch-device. This identification changes the authenticator switch port mode from access to trunk
and enables 802.1X trunk encapsulation. The access VLAN, if any, is converted to a native trunk
VLAN. VSA does not change any of the port configurations on the supplicant.
Step 13
Switch# show running-config
interface
interface
Verifies your configuration.
Note it is the only command that tells you that the smart macro has
been applied after the supplicant switch has been authenticated.
Step 14
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
