Showing results for 
Search instead for 
Did you mean: 

[4Juniors] Implementation of authentication RADIUS and DOT1X.

João Romão
After a few years I've made the first post. 
I made a project in GNS3 where I've implemented authentication login RADIUS and DOT1X for hosts.
The motive of this post is always improve everyone knowledge but also present, my simple point of view, a good solution with very few resources (literally). For the objective I made this simple footsteps.
- RADIUS allow a centralized controller for authentication and autorization.
- Login to nodes (intermediate devices) & end-users must use credentials to gain network access.
- DOT1X: supplicant uses an EAPOL START to authenticator for beging authentication process. It exchange EAP messages with authentication server, and when credentials validated, EAPOL SUCCESS to the supplicant.
- ISO: c3745-adventerprisek9-mz.124-25d.image, c3745-adventerprisek9_ivs-mz.124-15.T8.image, linux-microcore-6.4.img
"Weak Laptop, can't stand two VMs (i.e. MS XP or Server)"
- So I used an Linux appliance 'MicroCore Linux' (CLI), because the only use of it is: Authenticate with 802.1X
This 'littleguy' have some configs to do it:
a: (assuming connectivity its onfire) Install < $ tce-load -iw wpa_supplicant.tcz >;
b: create vi .conf file (example: # vi /etc/authdot1x.conf);
c: issue:
ctrl_interface=/var/run/wpa_supplicant    %execute program
ap_scan=0                                 %no AP lookup. 
network={                                 %Config specific network
key_mgmt=IEEE8021X                        %port-based 802.1X
eap=MD5                                   %authentication method
identity="bob"                            %default credentials available in docker AAA
eapol_flags=0                             %no specific flags  
}                                         I've limited knowledge about all this commands. Thx for any help.
d: execute prg:  # wpa_supplicant -B -Dwired -ieth0 -c/etc/authdot1x.conf.
- EAP Process:


- Configurations:


a: basic config -> Router

interface FastEthernet INT/ID
 ip address IP-ADDR MASK-ID 
 no shutdown
                   % R _CB : 0/0192.168.10.1 ;   1/0dhcp %Public IP ;   4/0 -
ip nat inside source list 10 interface FastEthernet1/0 overload
 access-list 10 permit     %All private addr are translated for fa1/0
interface range FastEthernet0/0, f4/0 %private interfaces
 ip nat inside
interface FastEthernet 1/0 %external interface

 ip nat outside

b: RADIUS login -> Routers & Switches

username backup password backup %local credentials if AAA offline
aaa new-model

aaa authentication login default group radius local %%RADIUS server authenticates login
radius-server host auth-port 1812 acct-port 1813 key gns3 %RADIUS addr & ports + validation key

c: DOT1X -> Switch

aaa authentication dot1x default group radius %%%
aaa authorization network default group radius
dot1x system-auth-control
int range FastEthernet1/1 – 9
 dot1x port-control auto
 dot1x pae-authenticator %ports are authenticated by this device (the authenticator)

help as much as I can, because this simple application help prove this concept
But for more expert colleagues, I want to receive opinions and improve this post (for future ones).
And, with this topology it's possible to un-configure VLAN and give the RADIUS server the ability to atribute a respective VLAN (after given VLAN, DHCP will give IP accordingly)? NOTE: assuming the GNS3 AAA docker. 


Thanks you all.
(If similar post already exists, please tag me!)

Portuguese tags: Segurança em Redes, Autenticação RADIUS (AAA), Exemplo simples.


3 Replies 3

Arne Bier

Hi. Nice one!  That's a great initiative for someone wanting to play with 802.1X using GNS3.

I would only add one thing - the IOS images are very old and things have changed quite a lot in IOS-XE (IBNS 2.0 etc.) - while the MAB/802.1X concepts are mostly unchanged since those old IOS images, the commands for newer IOS and IOS-XE are quite drastic. And this GNS lab setup does assume that the user has a (legit) image of IOS (or IOSvl2 etc.) - there is an IOS-XE image available as part of Cisco CML - but it's very resource hungry and it's quite new. 

@Arne Bier big thanks for your appreciation and recommendations the goal is to keep simple and focus on learning protocols. In my college it is a harsh reality, everything must be virtualize. The given 'official images' are indeed old (c3745), but for a free and educational purpose we use what is available (tried to ask Cisco Portugal for some images, but no luck hahah).
Discussing this with a colleague, who sent me this: Introduction to Cisco IOS XE ( and suggested the Cisco CSR1000v (available for free to GNS3), but it cost at a bit RAM on LAB PCs of 4GB (maybe next year the school will have a workstation or, maybe, CML). Once again thanks for the heads up!

Arne Bier

I've had CML subscription for a number of years and the images that come with the CML work quite well - each update to CML contains newer images. So, I would recommend scraping together a few Pennies and buying a CML subscription.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: