topic Re: RADIUS server and 802.1x on switch Cisco Packet Tracer in Network Access Control

RADIUS server and 802.1x on switch Cisco Packet Tracer

maksunity — Tue, 16 Apr 2024 06:20:50 GMT

Good afternoon, Cisco community. I faced a problem when configuring RADIUS server using switch as authenticator. When using router everything was not complicated and worked, example below.

But my supervisor said that it is wrong to do it this way and in modern networks it is necessary to do authentication on switch. And that's where the problems started.

Immediately a question on topology, is a router needed if a switch is used to connect to a RADIUS server? What will change from this?

About configuring the switch. I did the following commands:

Interface vlan 1

No shutdown

Ip address 192.168.1.253 255.255.255.255.0

Exit

(ip default-gateway 192.168.1.254) #if a router is still needed in the topology

Interface range Fastethernet 0/1 - 24

Switchport mode access

Switchport access vlan 1

With these settings everything still works (you can ping the router from PC2)

Now on to configuring the aaa itself on the switch.

Here are the commands I used:

Aaa new-model

Radius-server host 192.168.88.8 key cisco

aaa authentication dot1x default group radius

dot1x system-auth-control

exit

interface range fastethernet 0/23 – 24

authentication port-control auto

dot1x pae authenticator

exit

copy run startup-config

I then added user data (user: root, password: root) to computers 1 and 2, which are connected to ports 23 and 24 respectively. And after that they become unavailable at all, orange. Although it seems that if 802.1x is enabled on them and user data has been added, then the port should allow the computer in question into the network. You can see this in the picture below

Configuring 802.1x on a computer

RADIUS server settings (Services - Radius EAP - EAP-MD5 enable):

Which default gateway should I specify for the router or switch? (And if there is no router in the topology, what should I do?)

Also a question what default Gateway to specify in the computer settings if there should be no router in the topology?

Thank you very much in advance, I hope you can help me!

P.S. as I have already dug through a lot of cisco documentation and not only, but everything does not work. When configuring 802.1x on the router there were no such problems and everything worked almost immediately.

Re: RADIUS server and 802.1x on switch Cisco Packet Tracer

Mark Elsen — Tue, 16 Apr 2024 06:56:15 GMT

- FYI : Community group for Packet Tracer project questions

Re: RADIUS server and 802.1x on switch Cisco Packet Tracer

maksunity — Tue, 16 Apr 2024 07:54:13 GMT

I'm sorry. I wrote where you indicated, but I want to believe that someone here can help with this problem.

Re: RADIUS server and 802.1x on switch Cisco Packet Tracer

Aref Alsouqi — Tue, 16 Apr 2024 08:37:13 GMT

Couple of things here:

1) You would need the router if there is no direct comms between the switch and the RADIUS server. For instance, if the switch needs to route the RADIUS packets out of the interface 192.168.1.253, then yes the router is needed because the traffic flow would go this way Switch (192.168.1.253) > Router (192.168.1.254) > Router (192.168.88.2) > RADIUS Server (192.168.88.8), and it should return via the same path.

2) On the server configs it is showing the 192.168.1.254 as its default gateway? that should be adjusted to be the 192.168.88.2 which is the router interface in the same VLAN as the server interface.

3) The dot1x config on the PC it is showing MD5 as the authentication type? I think that should be changed to be EAP-PEAP which will rely on username and password for authentication.

4) The RADIUS port shown on the server configs is 1645, maybe the switch is using port 1812?, you can either set the port on the switch config to be port 1812 or change the port on the server configs to be 1812.

5) The dot1x config you shared seems to be minimum and I think you need to add more commands, please use the below template, maybe not all commands will be supported on PT.

aaa new-model
dot1x system-auth-control

aaa authentication dot1x default group < group name >
aaa authorization network default group < group name >
aaa accounting dot1x default start-stop group < group name >

radius server < server name >
address ipv4 x.x.x.x auth-port 1645 acct-port 1646 (you can use the 1812 and 1813 if you change them on the server config in PT)
key xxxxx

radius-server dead-criteria time 5 tries 3
radius-server deadtime 3

aaa group server radius < group name >
server name < server name >
ip radius source-interface Vlan1

radius-server vsa send authentication
radius-server vsa send accounting

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

interface < interface ID >
switchport mode access
authentication host-mode multi-auth
authentication order dot 1x mab
authentication priority dot1x mab
authentication event fail action next-method
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
authentication event server dead action authorize vlan xx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
spanning-tree portfast

Re: RADIUS server and 802.1x on switch Cisco Packet Tracer

maksunity — Tue, 16 Apr 2024 10:35:50 GMT

About the first point, there is a direct link between the server and the switch. That is, I should specify the ip address 192.168.1.253 through vlan 1 and specify it as a client to the RADIUS server, and then the router won't be needed, right?

3) in CPT you can't select any other authentication type than MD5, in the YouTube example of similar work it was also used https://www.youtube.com/watch?v=8SlbCPFgVhY.

4)I will check this solution, but in the video above nothing changed either.

5) I need to make the simplest authentication, could you give me an example of a simplified version of your configuration like mine, thanks in advance!

Re: RADIUS server and 802.1x on switch Cisco Packet Tracer

Aref Alsouqi — Tue, 16 Apr 2024 11:12:24 GMT

On the topology you shared, the RADIUS server seems to be on subnet 192.168.88.x and the switch Vlan1 interface is on 192.168.1.x, hence I'd thought the are not on the same subnet.

The configs I pasted was taken from a template I have, I would try to apply all the commands, I wouldn't worry much if any of the advance commands wouldn't be supported by PT, for instance the RADIUS VSA, attributes, dead server detection, those wouldn't be essentials in your case.