1-13Note:802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication butnot accounting. This is because a CAMS server establishes a user session after it begins to performaccounting. Therefore, to enable 802.1x re-authentication, do not configure the accounting nonecommand in the domain. This restriction does not apply to other types of servers.Introduction to 802.1x Configuration802.1x provides a solution for authenticating users. To implement this solution, you need to execute802.1x-related commands. You also need to configure AAA schemes on switches and specify theauthentication scheme (RADIUS or local authentication scheme).Figure 1-11 802.1x configurationISP domainconfiguration AAA schemeLocalauthenticationRADIUSscheme802.1xconfigurationISP domainconfiguration AAA schemeLocalauthenticationRADIUSscheme802.1xconfigurationz 802.1x users use domain names to associate with the ISP domains configured on switchesz Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be adopted inthe ISP domain.z If you specify to use a local authentication scheme, you need to configure the user names andpasswords manually on the switch. Users can pass the authentication through 802.1x client if theyprovide user names and passwords that match those configured on the switch.z If you specify to adopt the RADIUS scheme, the supplicant systems are authenticated by a remoteRADIUS server. In this case, you need to configure user names and passwords on the RADIUSserver and perform RADIUS client-related configuration on the switches.z You can also specify to adopt the RADIUS authentication scheme, with a local authenticationscheme as a backup. In this case, the local authentication scheme is adopted when the RADIUSserver fails.Refer to the AAA Operation for detailed information about AAA scheme configuration.Basic 802.1x ConfigurationConfiguration Prerequisitesz Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme ora local scheme.z Ensure that the service type is configured as lan-access (by using the service-type command) iflocal authentication scheme is adopted.
