Which Cisco IOS command globally enables port-based authentication on a switch?
A.
aaa port-auth enable
B.
radius port-control enable
C.
dot1x system-auth-control
D.
switchport aaa-control enable
Explanation:
Configuration of 802.1x authentication is done in 5 steps:
Step 1 Enable AAA on the switch.
By default, AAA is disabled. You can enable AAA for port-based authentication by using the
following global configuration command:
Switch(config)#aaa new-model
Step 2 Define external RADIUS servers.
First, define each server along with its secret shared password. This string is known only to the
switch and the server, and provides a key for encrypting the authentication session. Use the
following global configuration command:
Switch(config)#radius-server host {hostname | ip-address} [key string]
Step 3 Define the authentication method for 802.1x.
Using the following command causes all RADIUS authentication servers that are defined on the
switch to be used for 802.1x authentication:
Switch(config)#aaa authentication dot1x default group radius
Step 4 Enable 802.1x on the switch:
Switch(config)#dot1x system-auth-control
Step 5 Configure each switch port that will use 802.1x:
Switch(config)# interface type mod/num
Switch(config-if)#dot1x port-control {force-authorized | forceunauthorized | auto}
Here, the 802.1x state is one of the following:
• force-authorized—The port is forced to always authorize any connected client. No authentication
is necessary. This is the default state for all switch ports when 802.1x is enabled.
• force-unauthorized—The port is forced to never authorize any connected client. As a result, the
port cannot move to the authorized state to pass traffic to a connected client.
• auto — The port uses an 802.1x exchange to move from the unauthorized to the authorized
state, if successful. This requires an 802.1x-capable application on the client PC.
Reference:
CCNP BCMSN Official Exam Certification Guide, Fourth Edition, Chapter 15: Securing Switch
Access, Port-Based Authentication, p. 392