How to Configure Switch to locally authenticate using dot1X

Unanswered Question
nefkensp Tue, 12/16/2008 - 11:26

Ashish,

You could use the mac authentication bypass and create local users with the mac-address as username and password.

Then you can use the command

aaa authentication dot1x default local

to use location authentication for dot1x.

However, I don't know if you can have complete radius authentication and that the switch can act as PKI CA server as well.

so it might be possible with mac-addresses, but I doubt if it would really work well as 802.1x really uses a radius server and the switch does not provide that function.

So I doubt that it could be done,but try using the above command

hope this helps

P-J Nefkens

Neftkens,

Look at the following set of commands let me know if you think they will work.

aaa new-model

aaa authentication dot1x default local

!

!

vlan database

vlan 10 name HR

vlan 20 name Sales

vlan 30 name Admin

vlan 40 name Guest_VLAN

!

!

dot1X system-auth-control

!

!

Interface fa0/0

switchport mode access

switchport access vlan 10

dot1x guest-vlan 40

dot1x port-control auto

end

!

!

username admin password cisco

username user password bel

!

!

nefkensp Wed, 12/17/2008 - 01:00

Hi,

It might work, but only if you configure your client devices to only send PAP 802.1x authentication. Most other authentication protocols (the default, such as EAP) use certificates for authentication and that means a radius server that validates the certificates.

Which switch are you using and what kind of network device are you testing with? I know that MacOSX kan use PAP authentication for 802.1x , but I don't know about windows...

HTH

P-J Nefkens

Hi,

I am having Cisco2811 router with switch module NME-16ES-1G-P.

Kindly let me know if I can configure 802.1X authentication using PAP in this.

If yes, may I have the configuration to do the configuration.

PFA diagram showing the connectivity. Would like to tell that IP phones will be connected directly with the switch ports, followed by desktops.

Rgds,

Ashish

jafrazie Wed, 12/17/2008 - 07:24

Typically, local 802.1X authentication cannot be done. It's more correct to say that local EAP authentication could be done. This type of functionality is available in some WLAN access-points with some EAP methods (like LEAP) for example. In such scenarios the credential (username/password) is configured on the AP itself.

Can I ask what you're trying to accomplish?

Hi Experts,

I found that for the purpose of local authentication I need to configure MAC Auth with the help of following commands:

interface FastEthernet1/0/13

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

dot1x guest-vlan 261

spanning-tree portfast

But at the same time I need to add the MAC Addresses also.

Could you guys let me know what commands are used for adding MAC-Addresses of the end stations to be authenticated.

Regards,

Ashish

Actions

This Discussion