SoftWare Version V705R501C007B019
BootRom Version 8.0.1
HardWare Version 1.0.1
For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- RADIUS communication key: RADIUS_KEY
- Name of the RADIUS server Group: RADIUS_GROUP
- Tacacs+ communication key: TAC_KEY
- Switch management IP address: SW_IP
- SNMP v2 password: SNMP_SECRET
- SNMP v3 password: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- Wireless network SSID name: SSID_NAME
- VLAN ID: VLAN_X, VLAN_Y NET_X
- Network number: NET_X
DCWS-6028-C#config
DCWS-6028-C(config)#radius nas-ipv4 SW_IP
DCWS-6028-C(config)#radius-server authentication host NACVIEW_SERV port 1812 key RADIUS_KEY
DCWS-6028-C(config)#radius-server accounting host NACVIEW_SERV port 1813 key RADIUS_KEY
DCWS-6028-C(config)#radius-server attributes vlan enable
DCWS-6028-C(config)#aaa enable
DCWS-6028-C(config)#aaa-accounting enable
DCWS-6028-C(config)#aaa-accounting update enable
DCWS-6028-C(config)#authentication logging enable
DCWS-6028-C#config
DCWS-6028-C(config)#aaa group server radius RADIUS_GROUP
DCWS-6028-C(config-gs-radius)#server NACVIEW_SERV
DCWS-6028-C#config
DCWS-6028-C(config)#tacacs-server authentication host NACVIEW_SERV
DCWS-6028-C(config)#tacacs-server key TAC_KEY
DCWS-6028-C(config)#tacacs-server nas-ipv4 SW_IP
DCWS-6028-C#config
DCWS-6028-C(config)#authentication line vty login tacacs local
DCWS-6028-C(config)#authorization line vty exec tacacs
DCWS-6028-C(config)#authorization line vty command 1 tacacs
DCWS-6028-C(config)#authorization line vty command 7 tacacs
DCWS-6028-C(config)#authorization line vty command 15 tacacs
DCWS-6028-C(config)#accounting line vty command 1 start-stop tacacs
DCWS-6028-C(config)#accounting line vty command 7 start-stop tacacs
DCWS-6028-C(config)#accounting line vty command 15 start-stop tacacs
DCWS-6028-C(config)#accounting line vty exec start-stop tacacs
DCWS-6028-C(config)#aaa authorization config-commands
DCWS-6028-C(config)#authentication enable tacacs
DCWS-6028-C#config
DCWS-6028-C(config)#dot1x enable
DCWS-6028-C(config)#dot1x re-authentication
DCWS-6028-C(config)#dot1x macbased port-down-flush
DCWS-6028-C(config)#dot1x eapor enable
DCWS-6028-C#config
DCWS-6028-C(config)#mac-address-learning cpu-control
DCWS-6028-C(config)#mac-authentication-bypass enable
DCWS-6028-C(config)#mac-authentication-bypass timeout reauth-period 300
DCWS-6028-C#config
DCWS-6028-C(config)#interface ethernet 1/0/1
DCWS-6028-C(config-if-ethernet1/0/1)#spanning-tree portfast
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x enable
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x port-control auto
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x port-method macbased
DCWS-6028-C(config-if-ethernet1/0/1)#switchport access VLAN_X
DCWS-6028-C#config
DCWS-6028-C(config-if-ethernet1/0/1)#switchport access VLAN_X
DCWS-6028-C(config-if-ethernet1/0/1)#mac-authentication-bypass enable
DCWS-6028-C#config
DCWS-6028-C(config)#interface ethernet 1/0/1
DCWS-6028-C(config-if-ethernet1/0/1)#spanning-tree portfast
DCWS-6028-C(config-if-ethernet1/0/1)#switchport mode hybrid
DCWS-6028-C(config-if-ethernet1/0/1)#switchport hybrid native vlan 1
DCWS-6028-C(config-if-ethernet1/0/1)#switchport hybrid allowed vlan 1;VLAN_X;VLAN_Y untag
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x enable
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x port-control auto
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x port-method macbased
DCWS-6028-C(config-if-ethernet1/0/1)#dot1x max-user macbased 5
DCWS-6028-C(config-if-ethernet1/0/1)#mac-authentication-bypass enable
DCWS-6028-C#config
DCWS-6028-C(config)#snmp-server enable
DCWS-6028-C(config)#snmp-server securityip NACVIEW_SERV
DCWS-6028-C(config)#snmp-server community ro 0 SNMP_SECRET
DCWS-6028-C#config
DCWS-6028-C(config)#snmp-server enable
DCWS-6028-C(config)#snmp-server host NACVIEW_SERV v3 authpriv SNMP_USER
DCWS-6028-C(config)#snmp-server securityip NACVIEW_SERV
DCWS-6028-C(config)#snmp-server user SNMP_USER SNMP_GROUP authPriv des SNMP_PRIV auth sha SNMP_AUTH
DCWS-6028-C(config)#snmp-server group SNMP_GROUP authpriv read default write default notify default
DCWS-6028-C(config)#snmp-server view default 1. include
DCWS-6028-C#config
DCWS-6028-C(config)#logging NACVIEW_SERV facility local0 level informational
DCWS-6028-C(config)#logging source-ip SW_IP
DCWS-6028-C#config
DCWS-6028-C(config)#wireless
DCWS-6028-C(config-wireless)#network NET_X
DCWS-6028-C(config-network)#security mode wpa-enterprise
DCWS-6028-C(config-network)#wpa version wpa2
DCWS-6028-C(config-network)#wpa ciphers ccmp tkip
DCWS-6028-C(config-network)#dot1x bcast-key-refresh-rate 400
DCWS-6028-C(config-network)#dot1x session-key-refresh-rate 400
DCWS-6028-C(config-network)#radius use-network-configuration
DCWS-6028-C(config-network)#radius server-name auth RADIUS_GROUP
You can set wpa version as wpa3 if devices in your network support it.
AC(config-network)#wpa2 pre-authentication
wpa2 pre-authentication command allows seamless roaming by caching authentication credentials on nearby APs.
DCWS-6028-C#copy running-config tftp://NACVIEW_SERV/CONF_FILE - copying the current configuration to the TFTP server
DCWS-6028-C#show running-config full - viewing the whole current configuration
DCWS-6028-C(config-if-ethernet1/0/1)#show running-config current-mode - the device viewing in a given area (here: ethernet 1/0/1 interface)
DCWS-6028-C(config)#show running-confignterface ethernet 1/0/1 - viewing interface configuration
DCWS-6028-C#show dot1x interface ethernet 1/0/1 - viewing interface dot1x configuration
DCWS-6028-C#show dot1x user - viewing users authorized by dot1x
DCWS-6028-C#show mac-authentication-bypass - viewing MAB authentication
DCWS-6028-C#terminal monitor - debug messages display in the console
DCWS-6028-C#terminal length 0 - disable page numbering in the consol