From Brandon's Tinkerings
Intro
There are many different guides out there on how to setup Cisco Switches to do 802.1x, or EAPoL. This is actually a part of the Cisco CCNP SWITCH exam. Generally, it's easy. Especially either reading the SWITCH Certification Guide, or reading over Cisco's website. The main thing I wanted to expand on while going through the SWITCH exam, was to expand 802.1x authentication into also assigning VLANs depending on what the RADIUS server returned for a specific user. When I read up on this, it was mostly "It just works(c)(tm)(r)", but it didn't for me. So, here's my documentation of how I got it to work. I'll dump the code in, then the things that need a bit more explaining, I'll explain below.
What does this page assume?
- You have basic Cisco IOS knowledge
- Have setup basic management connectivity (i.e. your switch can reach your RADIUS server)
- Have configured VLANs and 802.1q trunking
- Have a RADIUS server to point to (I do have a guide on how to setup FreeRADIUS+LDAP if you need to set one up)
- Have your wired clients setup and able to do EAPoL
My Testing Environment
- Several catalyst switch models
- 2950T-24
- 2950G-48
- 3550-24-PWR
- 3750-48-PS
- FreeRADIUS setup to refer to LDAP, so thats how I'll be referring to accounts and what they contain.
- Windows 7
- Mac OS X Mountain Lion
The Code
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
dot1x system-auth-control
!
!
interface FastEthernet0/20
switchport access vlan 999
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x control-direction in
dot1x reauthentication
!
radius-server host 10.0.3.2 auth-port 1812 acct-port 1813 key testing1234
!
