...
1) Connect to the web interface of the device and navigate to the menu System → AAA → Authentication List.
2) Select the entry dot1xList and then click Edit.
3) Under Available Methods select the option Radius and click the upper “arrow” icon to move it into the Selected Methods. Then click Submit.
| Info |
|---|
The option Radius must be stored here, otherwise the switch will not forward the RADIUS requests to the RADIUS server. |
4) Go to the menu Security → Port Access Control → Configuration.
5) Under Admin mode, select the option Enable and click Submit.
6) Go to the menu Security → RADIUS → Named Server.
7) Click Add to add a RADIUS server.
8) Modify the following parameters and then click Submit:
- IP Address/Host Name: Enter the IP address or host name of the RADIUS server from which the switch obtains the Dynamic ACL.
- Server Name: If necessary, adjust the name for the RADIUS server (in this example the name was left as the default setting Default-RADIUS-Server).
- Port Number: Leave the RADIUS port as the default value 1812.
- Secret: Enter the Client Secret set on the RADIUS server.
- Server Type: Select the option Primary.
- Message Authenticator: Check that the option Enabled is selected.
9) Change to the menu Security → Authentication Manager → Interface Configuration.
| Hinweis |
|---|
At this point, under no circumstances should the Admin Mode under Security → Authentication Manager → Configuration be activated (Enable), because authentication is enabled globally for all ports. Otherwise, configuration access to the switch is no longer possible! |
| Info |
|---|
The status of the Named Server under Current only changes to True when the switch receives a RADIUS request.
|
10) Select the interface used for configuration access (in this example the port 1/0/9), under Control Mode select the option Force Authorized and click Submit. With this setting, no authentication is performed on this port.
| Info |
|---|
Select Force Authorized for all ports on which no authentication should be performed. |
11) Select a port on which authentication should be performed (in this example 1/0/10), adjust the following parameters and click Submit:
...
| Info |
|---|
Since Dynamic ACLs are usually used to deny or allow data traffic to individual devices, this example has the Host Mode set to Single Authentication. If several devices are to be connected to this port (e.g. via an access point), the mode Multiple Domain/Host is required. |
12) On the Configuration tab, set the Admin Mode to the option Enable and click Submit.
13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.
| Info |
|---|
The start configuration is retained even if the device is restarted or there is a power failure. As an alternative, the current configuration can be saved as the start configuration from the command line with the command write memory. |
14) Confirm your changes by clicking OK.
