/
Configuring 802.1X

Configuring 802.1X

Owned by Tracy Yang (Unlicensed)
Dec 16, 2018

Follow the below steps for 802.1X configuration process:

1.  Prerequisites:

  • Configure the 802.1X RADIUS authentication server IP and shared key on the PICA8 switch.
  • Configure the username and password on the 802.1X RADIUS authentication server.
  • (Optional) Configure parameters of other features.

2.   Enable 802.1X authentication or MAB authentication on the switch.

3.   (Optional) Configure parameters of other features on the switch:

  • CoA
  • Re-authentication
  • Guest VLAN
  • Dynamic VLAN

Procedure

Step1         Configure VLAN.

   a)      Configure VLAN ID.

   set vlans vlan-id <vlan-id>

   b)     Configure the interface to VLAN.

   set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

Step2         Configure IP address for RADIUS authentication server and the shared key.

   set protocols dot1x aaa radius authentication server-ip <ip-address> [shared-key <key-string>]

Step3         Configure the authentication mode, with dot1x by default.

   set protocols dot1x interface <interface-name> auth-mode <dot1x | mac-radius | dot1x-mac-radius>

Step4         Configure port control, with auto by default.

                   set protocols dot1x interface <interface-name> port-control <auto | force-authorized | force-unauthorized>

Step5         Enable re-authentication function and re-authentication period.

                   set protocols dot1x interface <interface-name> reauthentication disable <truefalse>

                   set protocols dot1x interface <interface-name> reauth-period < reauth-period >

Step6         Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages.

   a)      Configure the IP address of RADIUS dynamic authorization client.

   set protocols dot1x aaa radius dynamic-author client <client-ip>

   b)     Configure the shared key of the RADIUS dynamic authorization client.

   set protocols dot1x aaa radius dynamic-author client <client-ip> shared-key <key-string>

Step7         Configures a guest VLAN on an interface.

   set protocols dot1x interface <interface-name> guest-vlan <vlan-id>

Step8         Enable the dynamic VLAN function.

   set protocols dot1x interface <interface-name> dynamic-vlan-enable <true | false>

Configuration Example

Networking Requirements

As shown in Figure 1, a large number of user terminals in a company access the Internet through ge-1/1/1 of the PICA8 Switch (as the access device). To ensure network access security, the administrator employs 802.1X authentication on the Switch and RADIUS server, to control the network access rights of the user terminals. The Switch allows the user terminals to access resources on the Internet only when the authentication is passed successfully.

Configuration on the RADIUS Server

  •   Configure the username and password on the RADIUS authentication server.
  •   Configure the shared key.
  •   Configure other RADIUS attributes for 802.1X authentication.

Configuration on the Switch

  •   Configure the 802.1X authentication server IP and shared key on the Switch.
  •   Enable both 802.1X and MAB authentication on the Switch, to perform MAB authentication on terminals (such as printers) that cannot install the 802.1X client software.

Figure 1. Networking Diagram for Configuring 802.1X Authentication


Procedure

Step1         Configure a VLAN.

admin@XorPlus# set vlans vlan-id 100
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 100

Step2         Configure IP address of RADIUS server and the shared key.

admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 10.10.51.4 shared-key pica8

Step3         Configure the authentication mode to dot1x-mac-radius to enable both 802.1X and MAB authentication.

admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode dot1x-mac-radius

Step4         Commit the configuration.

admin@XorPlus# commit

Step5         Verify the configuration.

   a)      Run the run show dot1x interface and run show dot1x mab command to check the 802.1X and MAB authentication configurations. The command output (PortEnabled = true) shows that the 802.1X authentication has been enabled on the interface ge-1/1/1 and MAC address ae:11:01:39:1a:00 is successfully authenticated.

admin@XorPlus# run show dot1x interface gigabit-ethernet ge-1/1/1
Dot1x Info for ge-1/1/1
------------------------------
PortEnabled = true
PortControl = AUTO
QuietPeriod = 60
ServerTimeout = 30
ReAuthentication = true
ReAuthPeriod = 3600
Dot1x Authenticator Client
--------------------------
Supplicant = 08:9e:01:39:1a:fe
Port Status = AUTHORIZED
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
 

admin@Xorplus# run show dot1x mab interface gigabit-ethernet ge-1/1/1
Interface       Mac         AUTHENTICATED
--------------  -----------------        ------
ge-1/1/1     ae:11:01:39:1a:00    true

  b)     The user starts the 802.1X client software on the terminal, enters the username and password, and starts authentication.

  c)      If the user name and password are correct, there will be an authentication success message displayed. Then users can access the network through this port.

Copyright © 2025 Pica8 Inc. All Rights Reserved.