Cisco Sg3008 Manual

							Security: 802.1X Authentication
Common Tasks
394 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
Common Tasks
Workflow 1: To enable 802.1x authentication on a por t:
STEP 1Click Security > 802.1X/MAC/Web Authentication > Properties.
STEP  2Enable Port-based Authentication.
STEP  3Select the Authentication Method .
STEP  4Click Apply, and the Running Configuration file is updated.
STEP  5Click Security > 802.1X/MAC/Web Authentication> Host and Session.
STEP  6Select the required port and click Edit.
STEP  7Set the Host Authentication mode. 
STEP  8Click Apply, and the Running Configuration file is updated.
STEP  9Click Security > 802.1X/MAC/Web Authentication > Port Authentication.
STEP  10Select a port, and click Edit.
STEP  11Set the Administrative Port Control field to Auto.
STEP  12Define the authentication methods.
STEP  13Click Apply, and the Running Configuration file is updated.
Workflow 2: To configure traps
STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties.
STEP  2Select the required traps.
STEP  3Click Apply, and the Running Configuration file is updated.
Workflow 3: To configure 802.1x-based or Web-based authentication
STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication .
STEP  2Select the required port and click Edit.
STEP  3Enter the fields required for the port.
The fields in this page are described in Defining 802.1X Port Authentication. 
						

							Security: 802.1X Authentication
Common Tasks
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  395
19
 
STEP  4Click Apply, and the Running Configuration file is updated.
Use the Copy Settings button to copy settings from one port to another.
Workflow 4: To configure the quiet period
STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication .
STEP  2Select a port, and click Edit.
STEP  3Enter the quiet period in the Quiet Period field.
STEP  4Click Apply, and the Running Configuration file is updated.
Workflow 5: To configure the guest VL AN:
STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties.
STEP  2Select Enable in the Guest VLAN field.
STEP  3Select the guest VLAN in the Guest VLAN ID field.
STEP  4Configure the Guest VLAN Timeout to be either Immediate or enter a value in the 
User defined field.
STEP  5Click Apply, and the Running Configuration file is updated.
Workflow 6: To configure unauthenticated VL ANs
STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties.
STEP  2Select a VLAN, and click Edit.
STEP  3Select a VLAN.
STEP  4Optionally, uncheck Authentication to make the VLAN an unauthenticated VLAN.
STEP  5Click Apply, and the Running Configuration file is updated. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
396 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
802.1X Configuration Through the GUI
Defining 802.1X Properties
The 802.1X Properties page is used to globally enable 802.1X and define how 
ports are authenticated. For 802.1X to function, it must be activated both globally 
and individually on each port.
To define port-based authentication:
STEP 1Click Security > 802.1X/MAC/Web Authentication > Properties.
STEP  2Enter the parameters.
•Port-Based Authentication—Enable or disable port-based authentication.
If this is disabled 802.1X, MAC-based and web-based authentication is 
disabled.
•Authentication Method—Select the user authentication methods. The 
options are:
-RADIUS, None—Perform port authentication first by using the RADIUS 
server. If no response is received from RADIUS (for example, if the server 
is down), then no authentication is performed, and the session is 
permitted
. If the server is available but the user credentials are incorrect, 
access is denied and the session terminated. 
-RADIUS—Authenticate the user on the RADIUS server. If no 
authentication is performed, the session is not permitted.
-None—Do not authenticate the user. Permit the session.
•Guest VLAN—Select to enable the use of a guest VLAN for unauthorized 
ports. If a guest VLAN is enabled, all unauthorized ports automatically join 
the VLAN selected in the Guest VL AN ID field. If a port is later authorized, it 
is removed from the guest VLAN.
•Guest VLAN ID—Select the guest VLAN from the list of VLANs.
•Guest VLAN Timeout—Define a time period:
-After linkup, if the software does not detect the 802.1X supplicant, or the 
authentication has failed, the port is added to the guest VLAN, only after 
the Guest VL AN timeout period has expired. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  397
19
 
-If the port state changes from Authorized to Not Authorized, the port is 
added to the guest VLAN only after the Guest VL AN timeout has expired.
•Tr a p s—To enable traps, select one of more of the following options:
-802.1x Authentication Failure Traps—Select to generate a trap if 802.1x 
authentication fails.
-802.1x Authentication Success Traps—Select to generate a trap if 
802.1x authentication succeeds.
-MAC Authentication Failure Traps—Select to generate a trap if MAC 
authentication fails.
-MAC Authentication Success Traps—Select to generate a trap if MAC 
authentication succeeds.
•When the switch is in Layer 2 switch mode:
-Web Authentication Failure Traps—Select to generate a trap if Web 
authentication fails.
-Web Authentication Success Traps—Select to generate a trap if Web 
authentication succeeds.
-Web Authentication Quiet Traps—Select to generate a trap if a quiet 
period commences.
When the device is in Layer 3 router mode, the VLAN Authentication Table 
displays all VLANs, and indicates whether authentication has been enabled on 
them.
STEP  3Click Apply. The 802.1X properties are written to the Running Configuration file.
Defining 802.1X Port Authentication
The Port Authentication page enables configuration of 802.1X parameters for each 
port. Since some of the configuration changes are only possible while the port is 
in Force Authorized state, such as host authentication, it is recommended that you 
change the port control to Force Authorized before making changes. When the 
configuration is complete, return the port control to its previous state. 
NOTEA port with 802.1x defined on it cannot become a member of a LAG.
To define 802.1X authentication: 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
398 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication.
This page displays authentication settings for all ports.
STEP  2Select a port, and click Edit.
STEP  3Enter the parameters.
•Interface—Select a port.
•Current Port Control—Displays the current port authorization state. If the 
state is Authorized, the port is either authenticated or the Administrative 
Por t Control is Force Authorized. Conversely, if the state is Unauthorized, 
then the port is either not authenticated or the Administrative Por t Control is 
Force Unauthorized.
•Administrative Port Control—Select the Administrative Port Authorization 
state. The options are:
-Force Unauthorized—Denies the interface access by moving the 
interface into the unauthorized state. The device does not provide 
authentication services to the client through the interface.
-Auto—Enables port-based authentication and authorization on the 
device. The interface moves between an authorized or unauthorized 
state based on the authentication exchange between the device and the 
client.
-Force Authorized—Authorizes the interface without authentication. 
•RADIUS VLAN Assignment—Select to enable Dynamic VLAN assignment 
on the selected port. 
-Disable—Feature is not enabled.
-Reject—If the RADIUS server authorized the supplicant, but did not 
provide a supplicant VLAN, the supplicant is rejected.
-Static—If the RADIUS server authorized the supplicant, but did not 
provide a supplicant VLAN, the supplicant is accepted.
•Guest VLAN—Select to indicate that the usage of a previously-defined 
guest VLAN is enabled for the device. The options are: 
-Selected—Enables using a guest VLAN for unauthorized ports. If a guest 
VLAN is enabled, the unauthorized port automatically joins the VLAN 
selected in the Guest VLAN ID field in the 802.1X Port Authentication 
page.  
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  399
19
 
After an authentication failure, and if guest VLAN is activated globally on 
a given port, the guest VLAN is automatically assigned to the 
unauthorized ports as an Untagged VLAN. 
-Cleared—Disables guest VLAN on the port.
•802.1X Based Authentication—802.1X authentication is the only 
authentication method performed on the port.
•MAC Based Authentication—Port is authenticated based on the supplicant 
MAC address. Only 8 MAC-based authentications can be used on the port.
NOTEFor MAC authentication to succeed, the RADIUS server supplicant 
username and password must be the supplicant MAC address. The MAC 
address must be in lower case letters and entered without the . or - 
separators; for example: 0020aa00bbcc.
•Web Based Authentication—This is only available in Layer 2 switch mode. 
Select to enable web-based authentication on the switch.
•Periodic Reauthentication—Select to enable port re-authentication 
attempts after the specified Reauthentication Period. 
•Reauthentication Period—Enter the number of seconds after which the 
selected port is reauthenticated. 
•Reauthenticate Now—Select to enable immediate port re-authentication.
•Authenticator State—Displays the defined port authorization state. The 
options are:
-Initialize—In process of coming up.
-Force-Authorized—Controlled port state is set to Force-Authorized 
(forward traffic).
-Force-Unauthorized—Controlled port state is set to Force-Unauthorized 
(discard traffic).
NOTEIf the port is not in Force-Authorized or Force-Unauthorized, it is in 
Auto Mode and the authenticator displays the state of the authentication 
in progress. After the port is authenticated, the state is shown as 
Authenticated.
•Time Range—Enable a limit on the time that the specific port is authorized 
for use if 802.1x has been enabled (Port -Based authentication is checked).
•Time Range Name—Select the profile that specifies the time range. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
400 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
•Maximum WBA Login Attempts—Available only in Layer 2 switch mode. 
Enter the maximum number of login attempts allowed on the interface. 
Select either Infinite for no limit or User Defined to set a limit.
•Max WBA Silence Period—Available only in Layer 2 switch mode. Enter the 
maximum length of the silent period allowed on the interface. Select either 
Infinite for no limit or User Defined to set a limit.
•Max Hosts—Enter the maximum number of authorized hosts allowed on the 
interface. Select either Infinite for no limit or User Defined to set a limit. 
NOTESet this value to 1 to simulate single-host mode for web-based 
authentication in multi-sessions mode.
•Quiet Period—Enter the number of seconds that the device remains in the 
quiet state following a failed authentication exchange.
•Resending EAP—Enter the number of seconds that the device waits for a 
response to an Extensible Authentication Protocol (EAP) request/identity 
frame from the supplicant (client) before resending the request.
•Max EAP Requests—Enter the maximum number of EAP requests that can 
be sent. If a response is not received after the defined period (supplicant 
timeout), the authentication process is restarted. 
•Supplicant Timeout—Enter the number of seconds that lapses before EAP 
requests are resent to the supplicant.
•Server Timeout—Enter the number of seconds that lapses before the 
device resends a request to the authentication server. 
STEP  4Click Apply. The port settings are written to the Running Configuration file.
Defining Host and Session Authentication 
The Host and Session Authentication page enables defining the mode in which 
802.1X operates on the port and the action to perform if a violation has been 
detected.
See Port Host Modes for an explanation of these modes. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  401
19
 
To define 802.1X advanced settings for ports:
STEP 1Click Security > 802.1X/MAC/Web Authentication > Host and Session 
Authentication.
802.1X authentication parameters are described for all ports. All fields except the 
following are described in the Edit Host and Session Authentication page.
•Number of Single Host Violations—Displays the number of packets that 
arrive on the interface in single-host mode, from a host whose MAC address 
is not the supplicant MAC address.
STEP  2Select a port, and click Edit.
STEP  3Enter the parameters.
•Interface—Enter a port number for which host authentication is enabled.
•Host Authentication—Select one of the modes. These modes are 
described above in Port Host Modes.
The following fields are only relevant if you select Single in the Host 
Authentication field.
Single Host Violation Settings:
•Action on Violation—Select the action to be applied to packets arriving in 
Single Session/Single Host mode, from a host whose MAC address is not 
the supplicant MAC address. The options are:
-Protect (Discard)—Discards the packets. 
-Restrict (For ward)—Forwards the packets.
-Shutdown—Discards the packets and shuts down the port. The ports 
remains shut down until reactivated, or until the device is rebooted.
•Trap s (on single host violation)—Select to enable traps.
•Trap Frequency (on Single Host Violation)—Defines how often traps are 
sent to the host. This field can be defined only if multiple hosts are disabled.
•Number of Violations—Displays the number violations (number of packets 
in Single Session/Single Host mode, from a host whose MAC address is not 
the supplicant MAC address).
STEP  4Click Apply. The settings are written to the Running Configuration file. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
402 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
19
Viewing Authenticated Hosts
To view details about authenticated users:
STEP 1Click Security > 802.1X/MAC/Web Authentication > Authenticated Hosts.
This page displays the following fields:
•User Name—Supplicant names that were authenticated on each port.
•Port—Number of the port.
•Session Time (DD:HH:MM:SS)—Amount of time that the supplicant was 
logged on the port. 
•Authentication Method—Method by which the last session was 
authenticated. 
•Authentication Server—RADIUS server. 
•MAC Address—Displays the supplicant MAC address.
•VLAN ID—Port’s VLAN.
Locked Clients
To view clients who have been locked out because of failed login attempts and to 
unlock a locked client:
STEP 1Click Security > 802.1X/MAC/ Web Authentication > Locked Client.
The following fields are displayed:
•Interface—Port that is locked.
•MAC Address—Displays the current port authorization state. If the state is 
Authorized, the port is either authenticated or the Administrative Por t 
Control is Force Authorized. Conversely, if the state is Unauthorized, then 
the port is either not authenticated or the Administrative Por t Control is 
Force Unauthorized.
•Remaining Time(Sec)—The time remaining for the port to be locked.
STEP  2Select a port.
STEP  3Click Unlock. 
						

							Security: 802.1X Authentication
802.1X Configuration Through the GUI
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  403
19
 
Web Authentication Customization
This page enables designing web-based authentication pages in various 
languages.
You can add up to 4 languages.
NOTEUp to 5 HTTP users and one HTTPS user can request web-based authentication at 
the same time. When these users are authenticated, more users can request 
authentication.
To add a language for web-based authentication:
STEP 1Click Security > 802.1X/MAC/ Web Authentication > Web Authentication 
Customization.
STEP  2Click Add.
STEP  3Select a language from the Language drop-down list.
STEP  4Select Set as Default Display Language if this language is the default language. 
the default language pages are displayed if the end user does not select a 
language.
STEP  5Click Apply and the settings are saved to the Running Configuration file.