Command for configuring 802.1x on a cisco Switch

Command Router (config) # aaa new-model! Enable aaaaaa authentication dot1x default group radius! Dot1x uses radius for authentication aaa authorization network default group radius! If you use the 802.1x protocol to dynamically allocate VLANs, the above command must have www.2cto.com dot1x system-auth-control! Allow 802.1x port-based authentication of dot1x guest-vlan supplicant! Allow the switch to specify the vlan to guest-vlan radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key Password after port 802.1x Authentication fails! Set the IP address and port of the radius server and the authenticated passwordradius-server retransmit 3! Number of re-passes when the radius request is not sent. radius-server vsa send authentication! Vsa is the abbreviation of Vendor-Specific attributes. If you need to specify the port vlan through 802.1x, you need this configuration command. ! Below is the need to focus on configuration, because the dot1x default timeout and retry are relatively high. If verification is not performed
The time for switching to the guest-vlan will be relatively late, causing the host to be unable to be connected and affecting the user experience.
In the LAN environment, the timeout value can be set relatively low. Www.2cto.com interface FastEthernet0/3 switchport mode access! Dot1x specifies the vlan. The switchport mode must be accessdot1x port-control auto! Enable dot1x port authentication dot1x timeout quiet-period 10! The silent time after the switch fails to authenticate with the client. The default value is 60 s. I set it to 10dot1x timeout tx-period 4dot1x timeout supp-timeout 4! The waiting time for authentication between the switch and the client. dot1x timeout server-timeout 4! Switch to the radius server timeout time dot1x max-req 2! The number of authentication retries between the switch and client. The default value is dot1x guest-vlan 80! Set the guest-vlandot1x host-mode multi-host after an attempt failed! Host-mode is set for the problem that multiple machines access the Internet through the hub under the port. The default single-host only allows
One machine can use this port; if it is multi-host, as long as the first server can pass the authentication, the other server will receive this
The machine on the hub can be used. However, if the first authenticated machine does not pass the authentication, then any machine on the hub
Fail.