Transcript Slide 1
Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access vlan 10 switchport mode access switchport voice vlan 40 ip access-group ACL-ALLOW in authentication event fail action next-method authentication event server dead action authorize vlan 10 authentication event server alive action reintialize authentication host-mode multi-auth authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator spanning-tree portfast Network Infrastructure Configuration for MAB Port Configuration switchport access vlan 10 The default vlan identified here can be overridden by a profile Back Network Infrastructure Configuration for MAB Port Configuration ip access-group ACL-ALLOW in This access list specifies what traffic is allowed on the port prior to a succesful 802.1x authentication Back Network Infrastructure Configuration for MAB Port Configuration authentication event fail action next-method This commands identifies what should take place after an authentication failure. This command may be useful in circumstances where you want host to failover to MAB if an 802.1x authentication has failed. Back Network Infrastructure Configuration for MAB Port Configuration authentication event server dead action authorize vlan 10 If the RADIUS server is dead and cannot be contacted then the action in this Example to authorize the port into vlan 10. Back Network Infrastructure Configuration for MAB Port Configuration authentication event server alive action reintialize On the Radius server becoming active and accessible, reinitialize authentication on the port. Back Network Infrastructure Configuration for MAB Port Configuration authentication host-mode multi-auth The options available for this command are multi-auth and single. With multi-auth as shown a wireless access point or hub can be attached to the switch port and individual multiple hosts can be authorized against the port In single mode only one of the attached clients must be authorized for all the clients to be granted network access. If the orginal authorized client leaves the port then all those previously authorized clients will be logged off. Can be used in conjunction with switchport security to limit access to configured mac addresses. Multi-ath checks each session. Back Network Infrastructure Configuration for MAB Port Configuration authentication open To allow network traffic prior to a succesful 802.1x authentication It is a good idea to use this command in conjunction with a restrictive ACL. Back Network Infrastructure Configuration for MAB Port Configuration authentication order mab dot1x The switch port will attempt MAB authentication before 802.1x. You may want to revise this order if the bulk of endpoints are 802.1x doing so will reduce delays. Back Network Infrastructure Configuration for MAB Port Configuration authentication priority dot1x mab Allthough MAB may be configured first, if the endpoint is also capable of 802.1x As well then 802.1x authentication will take priority over MAB By default the priority changes when the order is changed. Back Network Infrastructure Configuration for MAB Port Configuration authentication port-control auto Options include :Forced Un-authorized Forced Authorized Auto Back Network Infrastructure Configuration for MAB Port Configuration dot1x pae authenticator Enables 802.1X authentication on the interface, and sets the port personality to authenticator. pae = Port Access Enitity Back