This particular implementation is configured on a 3750 running 12.2.55(SE3)
(no not a 3750X!).
Step 1: Enable dot1x globally, by using the "dot1x system-auth-control" command,
to verify is dot1x is globally enabled:
Dot1x Protocol Version 3
Step 2: Configure the access ports:
switchport mode access
switchport voice vlan 21
authentication event fail action authorize vlan 32
authentication event no-response action authorize vlan 32
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
This configuration will attempt authentication (using EAPOL between switch and client,
and RADIUS between switch and RADIUS server) first, If authentication is successfull, the port is autrhorized and will begin forwarding traffic.
If authentication fails, or if no response is received
issue the following command to verify the authorization status of a port:
Dot1x Info for GigabitEthernet1/0/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
Port Gi1/0/1 in the example above is set to Unauthorized (actually, it was unplugged when I issued the command)
Of course the "guest vlan" is an option in this particular case vlan 32 was setup as a DMZ vlan with its default gateway IP address on a Firewall.
You can configure an 802.1X port for single-host or for multiple-hosts mode. In single-host mode, only one host is allowed on an 802.1X port.
When the host is authenticated, the port is placed in the authorized state. When the host leaves the port, the port becomes unauthorized.
Packets from hosts other than the authenticated one are dropped. Because the access port can contain phones, I have opted for the multi-host host mode.
The "dot1x pae authenticator" interface configuration command on the switch stack or on a standalone is used to configure the port as an IEEE 802.1x port access entity (PAE) authenticator.
Step 3: Configure radius server.
For dot1x RADIUS is used. and the switch basically functions as a RADIUS proxy for the client that is trying to authenticate.
I will not discuss the configuration of the actual RADIUS server itself in this post.
The RADIUS server configuration that I did use is:
radius-server host 220.127.116.11 auth-port 1645 acct-port 1646 key 0
Step 4: configure aaa to use dot1x
This basically defines which RADIUS servers (18.104.22.168) in this example is/are used for dot1x. The command for this is:
aaa authentication dot1x default group radius
For a full dot1x configuration guide: