Dot1x

Answered Question
Nov 28th, 2009
User Badges:

I want to configure our network for switch port authentication using 802.x.

I want to configure dot1x with authentication to wondows 2003 Radius.

I have 1 core switch C3750G router and other secondray switches C2960 connected to the core switch.

I want separate alle authenticated user to  be connected VLAN 1 and oud guest to guest to VLAN 2 for internet.

Do i have to configure only the core switch with dot1x and aaa authentication or all switches ( core and secondarY)


Thank you and kind regards,

Correct Answer by Jon Marshall about 7 years 5 months ago

access1097BA wrote:


Thank verry kind of you,


Do i have to create also on all switches the Guest VLAN?

Where i have to do the routing to the internet Gateway voor the Guest Vlan?

If i enable the VTP than is that correct that i have to configure only ONE switch and the configuration will be propogate to the other switches>

Thank you verry much,

The Guest vlan will be needed on all switches that the guest traffic has to pass through to get to the Internet gateway.


Yes, if you make your core switch a VTP server and the 2960s VTP clients you can create the vlans on the core switch and they will be propogated to the 2960s.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sat, 11/28/2009 - 11:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access1097BA wrote:


I want to configure our network for switch port authentication using 802.x.

I want to configure dot1x with authentication to wondows 2003 Radius.

I have 1 core switch C3750G router and other secondray switches C2960 connected to the core switch.

I want separate alle authenticated user to  be connected VLAN 1 and oud guest to guest to VLAN 2 for internet.

Do i have to configure only the core switch with dot1x and aaa authentication or all switches ( core and secondarY)


Thank you and kind regards,


You need to configure all switches that have devices connected to them that you want to have 802.1x authentcation for. So if you have devices/users on the 2960 switches that you want to authenticate you will need dot1x configured on the 2960 switches.


Note, that if you no end users/devices on the core switch then you do not need dot1x config on core switch.


Jon

access1097BA Sat, 11/28/2009 - 11:46
User Badges:

Thank you for the answer,


Wat about the radius configuration on the switch, do i have also to enable it on all connected switches.

If i understand goed i don't need to do no configuration on the core switch.

Thanks alotb

Jon Marshall Sat, 11/28/2009 - 11:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access1097BA wrote:


Thank you for the answer,


Wat about the radius configuration on the switch, do i have also to enable it on all connected switches.

If i understand goed i don't need to do no configuration on the core switch.

Thanks alotb


On any switch that has a device/user you want to authenticate you will need to configure dot1x and also radius configuration ie. any switch doing dot1xauthentication will need to know which radius server(s) to talk to.


Jon

access1097BA Sat, 11/28/2009 - 11:55
User Badges:

Thank verry kind of you,


Do i have to create also on all switches the Guest VLAN?

Where i have to do the routing to the internet Gateway voor the Guest Vlan?

If i enable the VTP than is that correct that i have to configure only ONE switch and the configuration will be propogate to the other switches>

Thank you verry much,

Correct Answer
Jon Marshall Sat, 11/28/2009 - 11:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access1097BA wrote:


Thank verry kind of you,


Do i have to create also on all switches the Guest VLAN?

Where i have to do the routing to the internet Gateway voor the Guest Vlan?

If i enable the VTP than is that correct that i have to configure only ONE switch and the configuration will be propogate to the other switches>

Thank you verry much,

The Guest vlan will be needed on all switches that the guest traffic has to pass through to get to the Internet gateway.


Yes, if you make your core switch a VTP server and the 2960s VTP clients you can create the vlans on the core switch and they will be propogated to the 2960s.


Jon

access1097BA Mon, 11/30/2009 - 14:17
User Badges:

Hi Jon,


Please can you help me further,


Can you please tel me step by step how i have to do this configuration.


Core switch 3750G, router and all my secondary 2960 switches are connected to the core switch.

I want all my local users authenticate to Radius for authentication.

I want to create a VLAN for local users and VLAN for guest internet.

Where and how i have to configure the dot1x ( on all example wat i found on google Fasteethernet0/3).

Waht they meen with fastethernet0/3, do i have to set the dot1x on alle switches port fastethernet0/3?

Please can you guide me.

Thanks

access1097BA Sat, 11/28/2009 - 12:29
User Badges:

Thank you verry much, i will try monday

the configuration and will let you know.


Kind regards,

Actions

This Discussion