Configure 802.1X-capable Ethernet Switches

Applies To: Windows Server 2008, Windows Server 2008 R2

Use the product documentation for your 802.1X-capable Ethernet switches to configure network and RADIUS settings.

To configure 802.1X-capable switches

  1. Configure the following TCP/IP and network settings on your 802.1X-capable switches:

    • IP address (static): Configure a unique static IP address that falls within the exclusion range of the Dynamic Host Configuration Protocol (DHCP) scope for the subnet associated with that switch.

    • Subnet mask: Configure this to match the subnet mask settings of the LAN to which you have connected the switch.

    • DNS name: Some switches can be configured with a Domain Name System (DNS) name. The DNS service on the network can resolve DNS names to an IP address. On each switch that supports this feature, enter a unique name for DNS resolution.

    • Default Gateway: On each switch configure the default gateway for the subnet on which the switch is placed.

    • DHCP service: If your switch has a built-in DHCP service, disable it.

  2. Configure your 802.1X-capable switches with the following Remote Authentication Dial-In User Service (RADIUS) settings:

    • Primary RADIUS server IP address: Configure the IPv4 address, IPv6 address, or DNS name of a primary RADIUS server.

    • Secondary RADIUS server: Configure the IPv4 address, IPv6 address, or DNS name of a secondary RADIUS server, as well as its RADIUS shared secret, UDP ports for authentication and accounting, and failure detection settings.

    • RADIUS shared secret: Use a unique RADIUS shared secret for each switch. Each shared secret should be a random sequence at least 22 characters long of uppercase and lowercase letters, numbers, and punctuation. To ensure randomness, use a random character generation program to create the shared secrets. The RADIUS shared secret must match the shared secret that you specify in when you configure the switch as a RADIUS client in Network Policy Server (NPS). Record the shared secret for each switch and store it in a secure location, such as an office safe. You must need to know the shared secret for each switch when you configure RADIUS clients in the NPS.


Alternatively, you can use NPS to generate random shared secrets when you configure new RADIUS clients in NPS, then use the shared secret generated by NPS to configure your 802.1X-compatible switches.

  - **UDP port(s):** Verify that UDP port information is specified for authentication, accounting, and failure detection. By default, NPS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages.  


Do not change the default RADIUS UDP ports settings.

  - **VSAs:** Some switches require vendor-specific attributes (VSAs) to provide full RADIUS and 802.1X switch functionality. VSAs are added in the NPS network policy.