Best Practices

Best Practices
For the seamless function of AAA and dot1x implementation on the switch, implement the following best practices.

For Switch Management
Follow the suggestion as outlined in the list that follows for secured switch management with AAA:

Always configure a fallback method to avoid the lockout problem when AAA is configured for switch management.

Use SSH rather than Telnet whenever possible and configure AAA for SSH.

Use ip permit command to control Telnet access (set ip permit enable telnet and set ip permit range mask | host).

Configure the switch to source TACACS+ or radius packet from the same interface or IP address.

Do not enable console authentication to use an external AAA server unless otherwise required.

For Identity-Based Network Services (IBNSs)
This section delves into some of the unique design problems you may run into, and how to resolve the issues by implementing of IBNS.

If you have devices in the network that do not have 802.1x supplicants, you should either configure a guest VLAN or implement port security on the switch ports where these devices are connected. Another option is to configure a multi-host mode, but avoiding multi-host mode configuration is strongly recommended due to lack of port security.

If you have multiple devices connected to the 802.1x-enabled switch port via a hub or IP Phone, configure multiple-authentication mode instead of multiple-host mode. Because multi-host mode does not provide the security on the port, multiple authentication does provide security based on the MAC address.

For IP Phone deployment, configure switch access ports as Multi-VLAN Access Ports (MVAPs), and implement 802.1x port authentication. To configure MVAP, you need to configure 2 VLANs for a single port: one is an access VLAN for regular traffic, and the other one is Voice VLAN ID (VVID) for Voice Over IP traffic. This is preferred over a Guest VLAN or multi-host VLAN.