From Brandon's Tinkerings
Jump to: navigation, search
(Initial Submit)
 
(→‎The Code: More Changes)
Line 30: Line 30:
!
!
!
!
interface FastEthernet0/20
interface FastEthernet0/1
  switchport access vlan 999
  switchport access vlan 999
  switchport mode access
  switchport mode access
Line 36: Line 36:
  dot1x pae authenticator
  dot1x pae authenticator
  dot1x port-control auto
  dot1x port-control auto
dot1x violation-mode protect
dot1x control-direction in
dot1x reauthentication
!
!
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234
!
</syntaxhighlight>
</syntaxhighlight>
Thats pretty much about it.
=== Things to note about the code ===
* Line 5: This is what enables the switch to change the VLAN to what is given by the RADIUS server. Without this, it just won't change the VLAN, and will put it in the access VLAN configured on the port, once authentication is successful.
* Line 7: This actually enables 802.1x on the switch. One thing to note here is that 'port-control force-authorized' is the default on all ports. This way when you enable it, none of the ports go offline.

Revision as of 03:22, 29 September 2012

Intro

There are many different guides out there on how to setup Cisco Switches to do 802.1x, or EAPoL. This is actually a part of the Cisco CCNP SWITCH exam. Generally, it's easy. Especially either reading the SWITCH Certification Guide, or reading over Cisco's website. The main thing I wanted to expand on while going through the SWITCH exam, was to expand 802.1x authentication into also assigning VLANs depending on what the RADIUS server returned for a specific user. When I read up on this, it was mostly "It just works(c)(tm)(r)", but it didn't for me. So, here's my documentation of how I got it to work. I'll dump the code in, then the things that need a bit more explaining, I'll explain below.

What does this page assume?

  • You have basic Cisco IOS knowledge
    • Have setup basic management connectivity (i.e. your switch can reach your RADIUS server)
    • Have configured VLANs and 802.1q trunking
  • Have a RADIUS server to point to (I do have a guide on how to setup FreeRADIUS+LDAP if you need to set one up)
  • Have your wired clients setup and able to do EAPoL

My Testing Environment

  • Several catalyst switch models
    • 2950T-24
    • 2950G-48
    • 3550-24-PWR
    • 3750-48-PS
  • FreeRADIUS setup to refer to LDAP, so thats how I'll be referring to accounts and what they contain.
  • Windows 7
  • Mac OS X Mountain Lion

The Code

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius 
!
dot1x system-auth-control
!
!
interface FastEthernet0/1
 switchport access vlan 999
 switchport mode access
 dot1x mac-auth-bypass
 dot1x pae authenticator
 dot1x port-control auto
!
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234

Thats pretty much about it.

Things to note about the code

  • Line 5: This is what enables the switch to change the VLAN to what is given by the RADIUS server. Without this, it just won't change the VLAN, and will put it in the access VLAN configured on the port, once authentication is successful.
  • Line 7: This actually enables 802.1x on the switch. One thing to note here is that 'port-control force-authorized' is the default on all ports. This way when you enable it, none of the ports go offline.