If you have an intermediate familiarity with Ethernet switching you are more than likely familiar with 802.1x port based authentication. With that assumption let’s assume your environment is locked down tight enough to the point where this security is enabled. Great! However, what if you needed to add another Cisco device to a client facing switch port? Not so great… How do you get the device to authenticate the same way as your PC does? Fortunately the IOS includes a supplicant for 802.1x that will allow us to authenticate just like a wired windows client! Let’s check out the config for reference.
cisp enable eap profile EAP method mschapv2 dot1x credentials Dot1X_Creds username <username> password <password> dot1x supplicant force-multicast interface GigabitEthernet0/1 ip address dhcp dot1x pae supplicant dot1x credentials Dot1X_Creds dot1x supplicant eap profile EAP
OK, so lets break this down. First, the CISP option needs to be enabled. This is the Client Information Signaling Protocol. In simple terms it’s a complementary feature to the supplicant for 802.1x. As you can see in the second line we then create and name an EAP profile and in this example I used MSCHAPv2. There are other options as well including EAP-FAST and MD5.
ROUTER (config-eap-profile)#method ? fast EAP-FAST method allowed md5 EAP-MD5 method allowed mschapv2 EAP-MSCHAPV2 method allowed
Next, we create a credential profile. This example shows username and password options. Not shown is also the option to include a PKI trustpoint certificate as well.
The “dot1x supplicant force-multicast” global option enables the supplicant in all host modes.
In interface configuration mode, you enable the supplicant and apply the EAP profile and the credential profile. From there you have the typical interface configuration options such as “ip address dhcp” from my example.
Finally, you will find additional information here on Cisco’s website:
I hope you found this brief configuration discussion helpful! Be sure to comment with questions or feedback!