Cisco Catalyst 5000/5500, 6000/6500, 4000, 2950, or 3550 switches can be configured as an authenticator, provided that they are running at the appropriate code level. For the Catalyst 5000/5500, 6000/6500, and 4000 running COS, version 6.2 or greater is required. The Catalyst 2950 requires Cisco IOS version 12.1(6) EA2 or greater, and the Catalyst 3550 requires Cisco IOS version 12.1(8) EA1 or greater.
The fist step to configuring the authenticator is to provide it with the address and key of the RADIUS server that will act as an authentication server. This is accomplished using the commands listed (this assumes that the switch is already configured with the appropriate IP addressing information):
For COS switches:
COSSwitch (enable) set radius server 192.168.101.98 primary
COSSwitch (enable) set radius key ABC6108
For IOS switches:
IOSSwitch#conf t
IOSSwitch (config)#aaa new-model
IOSSwitch (config)#radius-server host 192.168.101.98
IOSSwitch (config)#radius-server key ABC6108
The next step in the process is to enable the 802.1X port authentication process. This step makes the switch an authenticator, allows it to send the EAP messages to the supplicant, proxy the information to the authentication (RADIUS) server(s) configured in Step 1, and act on the messages received from those servers to authorize ports. To configure the switch to act as an authenticator, use the following commands.
For COS switches:
COSSwitch (enable) set dot1x system-auth-control enable
For IOS switches:
IOSSwitch (config)#aaa authentication dot1x default group radius