Network Infrastructure Configuration for MAB Port Configuration

Interface fastethernet 0/1description Trustsec:802.1X+MAB+MultiAuthswitchport access vlan 10switchport mode accessswitchport voice vlan 40ip access-group ACL-ALLOW inauthentication event fail action next-method authentication event server dead action authorize vlan 10 authentication event server alive action reintializeauthentication host-mode multi-authauthentication openauthentication order mab dot1xauthentication priority dot1x mabauthentication port-control autoauthentication violation restrictmabdot1x pae authenticatorspanning-tree portfast

Network Infrastructure Configuration for MAB Port Configuration

switchport access vlan 10

The default vlan identified here can be overridden by a profile

Back

Network Infrastructure Configuration for MAB Port Configuration

ip access-group ACL-ALLOW in

This access list specifies what traffic is allowed on the port prior to a succesful 802.1x authentication

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication event fail action next-method

This commands identifies what should take place after an authentication failure.This command may be useful in circumstances where you want host to failover to MAB if an 802.1x authentication has failed.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication event server dead action authorize vlan 10

If the RADIUS server is dead and cannot be contacted then the action in this Example to authorize the port into vlan 10.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication event server alive action reintialize

On the Radius server becoming active and accessible, reinitialize authenticationon the port.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication host-mode multi-auth

The options available for this command are multi-auth and single.

With multi-auth as shown a wireless access point or hub can be attached to theswitch port and individual multiple hosts can be authorized against the port

In single mode only one of the attached clients must be authorized for all theclients to be granted network access. If the orginal authorized client leaves the port then all those previously authorized clients will be logged off.

Can be used in conjunction with switchport security to limit access to configuredmac addresses.

Multi-ath checks each session.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication open

To allow network traffic prior to a succesful 802.1x authentication

It is a good idea to use this command in conjunction with a restrictive ACL.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication order mab dot1x

The switch port will attempt MAB authentication before 802.1x. You may wantto revise this order if the bulk of endpoints are 802.1x doing so will reducedelays.

Back

authentication priority dot1x mab

Network Infrastructure Configuration for MAB Port Configuration

Allthough MAB may be configured first, if the endpoint is also capable of 802.1xAs well then 802.1x authentication will take priority over MAB

By default the priority changes when the order is changed.

Back

Network Infrastructure Configuration for MAB Port Configuration

authentication port-control auto

Options include :-

Forced Un-authorized

Forced Authorized

Auto

Back

Network Infrastructure Configuration for MAB Port Configuration

dot1x pae authenticator

Enables 802.1X authentication on the interface, and sets the port personality toauthenticator.

pae = Port Access Enitity

Back