Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dot1x and ACS 5.2

Hello everyone. I was wondering how configure dot1x on Cisco Catalyst switch and Cisco ACS 5.2, so that Windows 7 users can get access to network. What is the minimal configuration on both Cisco switch and ACS?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Hi karen,

Hi karen,

Here comes the basic configuration on dot1x auth.

 

Configuring IEEE 802.1x Authentication

To configure IEEE 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.

The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.

To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

This is the IEEE 802.1x AAA process:


Step 1 A user connects to a port on the switch.

Step 2 Authentication is performed.

Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Step 4 The switch sends a start message to an accounting server.

Step 5 Re-authentication is performed, as necessary.

Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.

Step 7 The user disconnects from the port.

Step 8 The switch sends a stop message to the accounting server.


Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based authentication. This procedure is required.

 

 
 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

aaa new-model

Enable AAA.

Step 3 

aaa authentication dot1x {default} method1

Create an IEEE 802.1x authentication method list.

To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.

For method1, enter the group radius keyword to use the list of all RADIUS servers for authentication.

Note Though other keywords are visible in the command-line help string, only the default and group radius keywords are supported.

Step 4 

dot1x system-auth-control

Enable IEEE 802.1x authentication globally on the switch.

Step 5 

aaa authorization network {default} group radius

(Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment.

Step 6 

radius-server host ip-address

(Optional) Specify the IP address of the RADIUS server.

Step 7 

radius-server key string

(Optional) Specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server.

Step 8 

interface interface-id

Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.

Step 9 

swtichport mode access

(Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7.

Step 10 

dot1x port-control auto

Enable IEEE 802.1x authentication on the interface.

For feature interaction information, see the "IEEE 802.1x Authentication Configuration Guidelines" section.

Step 11 

end

Return to privileged EXEC mode.

Step 12 

show dot1x

Verify your entries.

Check the Status column in the IEEE 802.1x Port Summary section of the display. An enabled status means the port-control value is set to either auto or to force-unauthorized.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

To disable AAA, use the no aaa new-model global configuration command. To disable IEEE 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} global configuration command. To disable IEEE 802.1x AAA authorization, use the no aaa authorization global configuration command. To disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command.

This example shows how to enable AAA and IEEE 802.1x authentication on a port:

Switch# configure terminal

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control

Switch(config)# interface fastethernet0/1

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x port-control auto

Switch(config-if)# end

Configuring the Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

 

 
 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

radius-server host {hostname | ip-address} auth-port port-number key string

Configure the RADIUS server parameters on the switch.

For hostname | ip-address, specify the host name or IP address of the remote RADIUS server.

For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812.

For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.

This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server:

Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. For more information, see the "Configuring Settings for All RADIUS Servers" section on page 8-28.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

 

Regards

Karthik

4 REPLIES

Hi karen,

Hi karen,

Here comes the basic configuration on dot1x auth.

 

Configuring IEEE 802.1x Authentication

To configure IEEE 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.

The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.

To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

This is the IEEE 802.1x AAA process:


Step 1 A user connects to a port on the switch.

Step 2 Authentication is performed.

Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Step 4 The switch sends a start message to an accounting server.

Step 5 Re-authentication is performed, as necessary.

Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.

Step 7 The user disconnects from the port.

Step 8 The switch sends a stop message to the accounting server.


Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based authentication. This procedure is required.

 

 
 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

aaa new-model

Enable AAA.

Step 3 

aaa authentication dot1x {default} method1

Create an IEEE 802.1x authentication method list.

To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.

For method1, enter the group radius keyword to use the list of all RADIUS servers for authentication.

Note Though other keywords are visible in the command-line help string, only the default and group radius keywords are supported.

Step 4 

dot1x system-auth-control

Enable IEEE 802.1x authentication globally on the switch.

Step 5 

aaa authorization network {default} group radius

(Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment.

Step 6 

radius-server host ip-address

(Optional) Specify the IP address of the RADIUS server.

Step 7 

radius-server key string

(Optional) Specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server.

Step 8 

interface interface-id

Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.

Step 9 

swtichport mode access

(Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7.

Step 10 

dot1x port-control auto

Enable IEEE 802.1x authentication on the interface.

For feature interaction information, see the "IEEE 802.1x Authentication Configuration Guidelines" section.

Step 11 

end

Return to privileged EXEC mode.

Step 12 

show dot1x

Verify your entries.

Check the Status column in the IEEE 802.1x Port Summary section of the display. An enabled status means the port-control value is set to either auto or to force-unauthorized.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

To disable AAA, use the no aaa new-model global configuration command. To disable IEEE 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} global configuration command. To disable IEEE 802.1x AAA authorization, use the no aaa authorization global configuration command. To disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command.

This example shows how to enable AAA and IEEE 802.1x authentication on a port:

Switch# configure terminal

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control

Switch(config)# interface fastethernet0/1

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x port-control auto

Switch(config-if)# end

Configuring the Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

 

 
 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

radius-server host {hostname | ip-address} auth-port port-number key string

Configure the RADIUS server parameters on the switch.

For hostname | ip-address, specify the host name or IP address of the remote RADIUS server.

For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812.

For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.

This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server:

Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. For more information, see the "Configuring Settings for All RADIUS Servers" section on page 8-28.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

 

Regards

Karthik

New Member

Dear Karthik,Thank you for

Dear Karthik,

Thank you for detailed response.

 I did this configuration but it seems to me the problem is on ACS side.

 I get prompt to enter username and password on my Windows PC, I entered them but credentials are not approved and switch port remais in the blocking state. In ACS logs I see the following error "11509 Access Service does not allow any EAP protocols : Authentication failed". Also I get syslog messages: 

10142: Authorization failed for client (001e.ece7.2216) on Interface Fa2/0/33
   10141: Authentication failed for client (001e.ece7.2216) on Interface Fa2/0/33
   10140: Starting 'dot1x' for client (001e.ece7.2216) on Interface Fa2/0/33
New Member

Hi Karthik,    Select the

Hi Karthik,

 

   Select the access service, Usually its default network access, In case if you are using any customised network service, SELECT IT and allow eap protocol, (Peap or eap tls) which ever you are using.

 

default network access> Protocols> eap/peap(select the check box)

 

This should solve the issue

Cheers!!!

Minakshi.

 

New Member

This discussion has been

This discussion has been reposted from Additional Communities to the LAN, Switching and Routing community.

169
Views
0
Helpful
4
Replies