12-16-2008 04:42 AM - edited 03-10-2019 04:14 PM
Dear All,
kindly let me know:
How to Configure Switch to locally authenticate end points (PCs)using dot1X.
Just like AAA local authentication I want that the switch should locally authenticate end stations using IEEE802.1X
Thanks,
Ashish
12-16-2008 11:26 AM
Ashish,
You could use the mac authentication bypass and create local users with the mac-address as username and password.
Then you can use the command
aaa authentication dot1x default local
to use location authentication for dot1x.
However, I don't know if you can have complete radius authentication and that the switch can act as PKI CA server as well.
so it might be possible with mac-addresses, but I doubt if it would really work well as 802.1x really uses a radius server and the switch does not provide that function.
So I doubt that it could be done,but try using the above command
hope this helps
P-J Nefkens
12-16-2008 07:16 PM
Neftkens,
Look at the following set of commands let me know if you think they will work.
aaa new-model
aaa authentication dot1x default local
!
!
vlan database
vlan 10 name HR
vlan 20 name Sales
vlan 30 name Admin
vlan 40 name Guest_VLAN
!
!
dot1X system-auth-control
!
!
Interface fa0/0
switchport mode access
switchport access vlan 10
dot1x guest-vlan 40
dot1x port-control auto
end
!
!
username admin password cisco
username user password bel
!
!
12-17-2008 01:00 AM
Hi,
It might work, but only if you configure your client devices to only send PAP 802.1x authentication. Most other authentication protocols (the default, such as EAP) use certificates for authentication and that means a radius server that validates the certificates.
Which switch are you using and what kind of network device are you testing with? I know that MacOSX kan use PAP authentication for 802.1x , but I don't know about windows...
HTH
P-J Nefkens
12-17-2008 02:35 AM
Hi,
I am having Cisco2811 router with switch module NME-16ES-1G-P.
Kindly let me know if I can configure 802.1X authentication using PAP in this.
If yes, may I have the configuration to do the configuration.
PFA diagram showing the connectivity. Would like to tell that IP phones will be connected directly with the switch ports, followed by desktops.
Rgds,
Ashish
12-17-2008 07:24 AM
Typically, local 802.1X authentication cannot be done. It's more correct to say that local EAP authentication could be done. This type of functionality is available in some WLAN access-points with some EAP methods (like LEAP) for example. In such scenarios the credential (username/password) is configured on the AP itself.
Can I ask what you're trying to accomplish?
12-17-2008 07:36 AM
Hi Jaf
As mentioned above I am looking for IEEE 802.1X configuration in Cisco 2811 router on the switch module, such that my IP phones and Desktops connected to the switch ports could be authenticated.
Thanks and Regards,
Ashish
12-18-2008 12:39 AM
Hi Experts,
I found that for the purpose of local authentication I need to configure MAC Auth with the help of following commands:
interface FastEthernet1/0/13
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
dot1x guest-vlan 261
spanning-tree portfast
But at the same time I need to add the MAC Addresses also.
Could you guys let me know what commands are used for adding MAC-Addresses of the end stations to be authenticated.
Regards,
Ashish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: