topic Re: dot1X authentication switch c2960s with aruba clearpass as a radiu in Network Access Control

dot1X authentication switch c2960s with aruba clearpass as a radius

hoaithanhdo — Fri, 01 Oct 2021 09:55:23 GMT

Hello bros,

My manager planed to use dot1x port-based for sw c2960s with aruba clearpass as a radius server. While We wait setup Aruba ClearPass Server. I have configured as below . could you take a look a give me your opinion.

aaa new-model
session-id common
aaa group server radius ClearPass-RADIUS
server-private 10.92.a.b auth-port 1812 acct-port 1813 key abc@123

aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS

dot1x system-auth-control

aaa server radius dynamic-author
port 3799
auth-type all
client 10.92.a.b server-key abc@123

radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

Re: dot1X authentication switch c2960s with aruba clearpass as a radiu

Rob Ingram — Fri, 01 Oct 2021 10:04:48 GMT

@hoaithanhdo

You probably want to enable periodic updates globally.

aaa accounting update newinfo periodic 2880

The timers configured under the interface a bit long, Cisco recommends the following:-

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

Enable the following timer settings under the interfaces

c9300-Sw(config-if)# authentication periodic
c9300-Sw(config-if)# authentication timer inactivity server dynamic

You can find more Cisco best practice information at the link below (obviously ignore the ISE configuration, but in the main the switch configuration should apply).

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: dot1X authentication switch c2960s with aruba clearpass as a radiu

balaji.bandi — Fri, 01 Oct 2021 10:07:57 GMT

high level seems to be good, but to use priority :

authentication priority dot1x mab

But again, the config need to test again server, when it live and may work as expected, but any issue need to capture debug logs.

Re: dot1X authentication switch c2960s with aruba clearpass as a radiu

hoaithanhdo — Fri, 01 Oct 2021 14:13:15 GMT

Hello ,

I am using switch c2960s . your command is still ok ?

Sincerely !

Thanks !

Re: dot1X authentication switch c2960s with aruba clearpass as a radiu

hoaithanhdo — Fri, 01 Oct 2021 14:15:19 GMT

Thanks bros.

Re: dot1X authentication switch c2960s with aruba clearpass as a radiu

Rob Ingram — Fri, 01 Oct 2021 14:50:35 GMT

@hoaithanhdo I don't have a 2960s to test, but I don't see why not. Those commands aren't new.