106 Device Security802.1x Network Access ControlPort-based network access control allows the operation of a system’s port(s) to be controlled to ensurethat access to its services is permitted only by systems that are authorized to do so.Port Access Control provides a means of preventing unauthorized access by supplicants or users to theservices offered by a system. Control over the access to a switch and the LAN to which it is connectedcan be desirable in order to restrict access to publicly accessible bridge ports or departmental LANs.The PowerConnect 6200 Series switch achieves access control by enforcing authentication of supplicantsthat are attached to an authenticator’s controlled ports. The result of the authentication processdetermines whether the supplicant is authorized to access services on that controlled port.A PAE (Port Access Entity) can adopt one of two roles within an access control interaction:• Authenticator – Port that enforces authentication before allowing access to services available via thatPort.• Supplicant – Port that attempts to access services offered by the Authenticator.Additionally, there exists a third role:• Authentication server – Server that performs the authentication function necessary to check thecredentials of the supplicant on behalf of the Authenticator.Completion of an authentication exchange requires all three roles. The PowerConnect 6200 Seriesswitch supports the authenticator role only, in which the PAE is responsible for communicating with thesupplicant. The authenticator PAE is also responsible for submitting information received from thesupplicant to the authentication server in order for the credentials to be checked, which determines theauthorization state of the port. Depending on the outcome of the authentication process, theauthenticator PAE then controls the authorized/unauthorized state of the controlled Port.Authentication is accomplished via an external authentication server:• Remote Authentication Dial-In User Service (RADIUS)• Terminal Access Controller Access Control System (TACACS+)802.1x Network Access Control ExamplesThis section contains examples of the CLI commands used to configure 802.1X.Example #1: Configure RADIUS Server for AuthenticationThis example configures a single RADIUS server used for authentication at 10.10.10.10. The sharedsecret is configured to besecret. The process creates a new authentication list, called radiusList, whichuses RADIUS as the authentication method. This authentication list is associated with the 802.1xdefault login. 802.1x port based access control is enabled for the system, and interface 1/g1 is configuredto be in force-authorized mode because this is where the RADIUS server and protected networkresources are located.