Transcript Slide 1
Network Infrastructure Configuration for MAB Port Configuration
Interface fastethernet 0/1
description Trustsec:802.1X+MAB+MultiAuth
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server alive action reintialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
Network Infrastructure Configuration for MAB Port Configuration
switchport access vlan 10
The default vlan identified here can be overridden by a profile
Back
Network Infrastructure Configuration for MAB Port Configuration
ip access-group ACL-ALLOW in
This access list specifies what traffic is allowed on the port prior to a succesful
802.1x authentication
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication event fail action next-method
This commands identifies what should take place after an authentication failure.
This command may be useful in circumstances where you want host to failover to
MAB if an 802.1x authentication has failed.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication event server dead action authorize vlan 10
If the RADIUS server is dead and cannot be contacted then the action in this
Example to authorize the port into vlan 10.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication event server alive action reintialize
On the Radius server becoming active and accessible, reinitialize authentication
on the port.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication host-mode multi-auth
The options available for this command are multi-auth and single.
With multi-auth as shown a wireless access point or hub can be attached to the
switch port and individual multiple hosts can be authorized against the port
In single mode only one of the attached clients must be authorized for all the
clients to be granted network access. If the orginal authorized client leaves the port
then all those previously authorized clients will be logged off.
Can be used in conjunction with switchport security to limit access to configured
mac addresses.
Multi-ath checks each session.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication open
To allow network traffic prior to a succesful 802.1x authentication
It is a good idea to use this command in conjunction with a restrictive ACL.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication order mab dot1x
The switch port will attempt MAB authentication before 802.1x. You may want
to revise this order if the bulk of endpoints are 802.1x doing so will reduce
delays.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication priority dot1x mab
Allthough MAB may be configured first, if the endpoint is also capable of 802.1x
As well then 802.1x authentication will take priority over MAB
By default the priority changes when the order is changed.
Back
Network Infrastructure Configuration for MAB Port Configuration
authentication port-control auto
Options include :Forced Un-authorized
Forced Authorized
Auto
Back
Network Infrastructure Configuration for MAB Port Configuration
dot1x pae authenticator
Enables 802.1X authentication on the interface, and sets the port personality to
authenticator.
pae = Port Access Enitity
Back