Port-based authentication can be handled by one or more external Remote Authentication Dial-In User Service (RADIUS) servers. Although many Cisco switch platforms allow other authentication methods to be configured, only RADIUS is supported for 802.1x. The actual RADIUS authentication method must be configured first, followed by 802.1x, as shown in the following steps:

Step 1. Enable AAA on the switch. By default, AAA is disabled. You can enable AAA for port-based authentication by using the following global configuration command:

Switch(config)# aaa new-model

The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized. The new model is much more scalable than the “old model,” in which the authentication source was explicitly configured.

Step 2. Define external RADIUS servers. First, define each server along with its secret shared password. This string is known only to the switch and the server, and provides a key for encrypting the authentication session. Use the following global configuration command:

Switch(config)# radius-server host {hostname | ip-address} [key string]

This command can be repeated to define additional RADIUS servers. Step 3. Define the authentication method for 802.1x. Using the following command causes all RADIUS authentication servers that are defined on the switch to be used for 802.1x authentication:

Switch(config)# aaa authentication dot1x default group radius

Step 4. Enable 802.1x on the switch:

Switch(config)# dot1x system-auth-control

Step 5. Configure each switch port that will use 802.1x:

Switch(config)# interface type mod/num

Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized

| auto}

Here, the 802.1x state is one of the following:

force-authorized—The port is forced to always authorize any connected client. No authentication is necessary. This is the default state for all switch ports when 802.1x is enabled. force-unauthorized—The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client. auto—The port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This requires an 802.1x-capable application on the client PC.

Tip: After 802.1x is globally enabled on a switch, all switch ports default to the forceauthorized state. This means that any PC connected to a switch port can immediately start accessing the network. Ideally, you should explicitly configure each port to use the auto state so that connected PCs are forced to authenticate through the 802.1x exchange.

Step 6. Allow multiple hosts on a switch port. It might be obvious that port-based authentication is tailored to controlling access to a single host PC that is connected to a switch port. However, 802.1x also supports cases in which multiple hosts are attached to a single switch port through an Ethernet hub or another access-layer switch. If the switch should expect to find multiple hosts present on the switch port, use the following interface configuration command: Switch(config-if)# dot1x host-mode multi-host

Tip: You can use the show dot1x all command to verify the 802.1x operation on each switch port that is configured to use port-based authentication.