Hello, everyone!
This post talks about the 802.1x functionality on Sx7xx switches. Please see more details below. I would thus like to present a quite interesting scenario that you might find helpful sometime.
BACKGROUND INFORMATION
How about if we want to use 802.1x authentication with a radius server to authenticate more users on an interface?
Oh yes. This is not that hard because we can configure 802.1x based on MAC address and authenticate all users of the interface.
What if we want to authenticate just some users of the interface and let the others access our network without any restrictions because they are our really good friends. How can we do this on our switches?
To explain our proposed solution, I would take as reference the picture below.
As you can see, they are both connected to the same interface, so what can we do?
Firstly, we have to configure the interface as a hybrid to allow both tagged and untagged packets. We also have to enable the voice VLAN function on the interface and to configure the VLAN in question.
After this, we remember that the device can manage users through domains. In this case, we can configure two domains: one for users that will need radius authentication and we will name it radius4you domain and one for users that won’t need authentication and we will call it noauth4phone domain.
For this, in the AAA view, we will create the domains I have just specified and we will set a radius authentication scheme to one and no authentication for the lucky ones.
After we configure the interface, create the domains and the radius server template (check the hedex) we should enable and configure the dot1x authentication in the system and interface view.
As a result, the switch authenticates the computer with the radius server conforms to the radius4you domain configured.
Since we don’t want to authenticate the phone we tried to trick the switch with the dot1x mac-bypass command. Because we used this command, when the switch tries to authenticate the phone and the dot1x authentication fails, the switch will use the MAC address of the phone for authentication. Since we created a MAC authentication domain where no authentication is necessary, when the dot1x authentication fails, the devices that have the MAC address specified in the mac-authen domain won’t be authenticated at all.
CONFIGURATION EXAMPLE
The configuration example would be:
System view
#
voice-vlan mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff description phone //Specifies the OUI address of voice packets that can be transmitted in the voice VLAN
#
#
domain radius4you
#
dot1x enable //enable dot1x in system view
dot1x timer reauthenticate-period 100 //sets the re-authentication interval for 802.1x authentication
mac-authen enable // enables MAC address authentication
mac-authen domain noauth4phone mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff //configures an authentication domain for MAC address authentication users
#
AAA view:
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme noauth
authentication-mode none
accounting-scheme default
accounting start-fail online
domain default
domain default_admin
domain radius4you
authentication-scheme radius
radius-server acs
domain noauth4phone // creates nouaht4phone domain in aaa view
authentication-scheme noauth // applies the noauth authentication-scheme to the noauth4phone domain
INTERFACE VIEW
The interface view would be:
#
interface Ethernet5/0/20
voice-vlan 184 enable // configures and enables the 184 voice vlan
voice-vlan mode manual
voice-vlan legacy enable //enables CDP-compatible Voice VLAN function
port hybrid pvid vlan 183
port hybrid tagged vlan 184
port hybrid untagged vlan 183
stp disable
bpdu bridge enable
dot1x mac-bypass //Once 802.1x authentication fails, the device uses the MAC address for authentication
#
This would be all on the the 802.1x functionality on Sx7xx switches. I hope this example is helpful if you want to configure this scenario in the future. Thank you for reading this post!