From Brandon's Tinkerings
(Initial Submit) |
(→The Code: More Changes) |
||
| Line 30: | Line 30: | ||
! | ! | ||
! | ! | ||
interface FastEthernet0/ | interface FastEthernet0/1 | ||
switchport access vlan 999 | switchport access vlan 999 | ||
switchport mode access | switchport mode access | ||
| Line 36: | Line 36: | ||
dot1x pae authenticator | dot1x pae authenticator | ||
dot1x port-control auto | dot1x port-control auto | ||
! | ! | ||
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234 | radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Thats pretty much about it. | |||
=== Things to note about the code === | |||
* Line 5: This is what enables the switch to change the VLAN to what is given by the RADIUS server. Without this, it just won't change the VLAN, and will put it in the access VLAN configured on the port, once authentication is successful. | |||
* Line 7: This actually enables 802.1x on the switch. One thing to note here is that 'port-control force-authorized' is the default on all ports. This way when you enable it, none of the ports go offline. | |||
Revision as of 03:22, 29 September 2012
Intro
There are many different guides out there on how to setup Cisco Switches to do 802.1x, or EAPoL. This is actually a part of the Cisco CCNP SWITCH exam. Generally, it's easy. Especially either reading the SWITCH Certification Guide, or reading over Cisco's website. The main thing I wanted to expand on while going through the SWITCH exam, was to expand 802.1x authentication into also assigning VLANs depending on what the RADIUS server returned for a specific user. When I read up on this, it was mostly "It just works(c)(tm)(r)", but it didn't for me. So, here's my documentation of how I got it to work. I'll dump the code in, then the things that need a bit more explaining, I'll explain below.
What does this page assume?
- You have basic Cisco IOS knowledge
- Have setup basic management connectivity (i.e. your switch can reach your RADIUS server)
- Have configured VLANs and 802.1q trunking
- Have a RADIUS server to point to (I do have a guide on how to setup FreeRADIUS+LDAP if you need to set one up)
- Have your wired clients setup and able to do EAPoL
My Testing Environment
- Several catalyst switch models
- 2950T-24
- 2950G-48
- 3550-24-PWR
- 3750-48-PS
- FreeRADIUS setup to refer to LDAP, so thats how I'll be referring to accounts and what they contain.
- Windows 7
- Mac OS X Mountain Lion
The Code
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
dot1x system-auth-control
!
!
interface FastEthernet0/1
switchport access vlan 999
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
!
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234Thats pretty much about it.
Things to note about the code
- Line 5: This is what enables the switch to change the VLAN to what is given by the RADIUS server. Without this, it just won't change the VLAN, and will put it in the access VLAN configured on the port, once authentication is successful.
- Line 7: This actually enables 802.1x on the switch. One thing to note here is that 'port-control force-authorized' is the default on all ports. This way when you enable it, none of the ports go offline.
