07-30-2010 11:31 AM - edited 03-10-2019 05:17 PM
Hello,
I'm working on a test rollout of 802.1x. I have a few (hopefully quick) questions that I can't seem to find in the docs...
1) Is there a way to configure a switch to use two separate RADIUS servers, one for auth/authen and one for accounting?
2) Is there any link to the different software versions and trains, both IOS and CatOS, showing the minimum versions that have guest VLAN and authFail VLAN?
Thanks,
Jason Antman
Rutgers University
07-30-2010 11:34 AM
As I'm sure someone is going to ask, I'm going to be running on a number of different switches, but the bulk will be either 3550 or better running IOS 12.1(13)EA1a or 2948G's running CatOS .
07-30-2010 03:27 PM
2948G:
Running most recent software would be limited to the features in this configuration guide:
dot1x -
http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/8021x.html
aaa -
http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/authent.html
Unfortunately CatOS does not have a way to configure server groups which is what would be necessary to customize separate destinations for authentication versus authorization.
Furthermore in the dot1x guide there is no guest vlan nor auth fail features, only vlan assignment via Radius. Could use this to assign particular users to a restricted vlan. I would definitely read the section on 802.1x VLAN assignment Using a RADIUS server, if you are interested (in in the dot1x link above).
3550 -
Looks like guest vlan was introduced around 12.1(14)EA1,
Looks like auth fail was introduced around 12.2(25)SED, see:
Looks like you will have to upgrade some of your older your 3550s.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: