06-22-2016 05:43 PM - edited 03-10-2019 11:53 PM
Dear All,
I need help on how to setup an 802.1x authentication using a radius server, switch and a laptop.
Can anyone guide me on how to do the setup as I have zero knowledge about this?
06-22-2016 06:38 PM
Hi
I've already answered this kind of question.
I will drop here the link. Let have a read and let me know if you need more information.
https://supportforums.cisco.com/discussion/13042996/cisco-ise-small-network-deployment
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf
The 1st link if for switch configuration and 2nd is from Cisco for ISE configuration
Which server you're planning to use as radius?
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-23-2016 02:35 AM
Hi!
I do not have a radius server, but I am suppose to configure the 802.1x authentication to confirm that the configuration is correct.
Is there any radius server software which you have used before, because I may be posting more questions as I really have no idea about this authentication system.
06-23-2016 04:32 AM
Hi I'm always using Cisco ACS or Cisco ISE today. There is also the one integrated with Microsoft Windows server called NCS.
These are the 3 most common solutions on enterprise architecture.
You can't test 802.1x without radius server.
There is freeradius, I used few times but it looks more complex if you don't have any Linux skills.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-23-2016 06:20 PM
Hi! supportlan,
Thanks for your links, but I think I have difficulty understanding and I also do not know how to start or where to start.
06-23-2016 07:05 PM
Hi
if you need to start, follow this steps:
- install a radius server
- configure it with your AD (for authentication)
- create your authentication profiles
- create your authorization profiles
- create your rules
- send through your AD or another certificate root server certificates to your pcs (lab pc before for testing)
- rules on radius are like firewalls, first match
- insure you have the last rule which is in permit mode
- install a switch in lab
- connect it to your radius
- do some tests. ( you can have 2 modes: monitoring only and then rules applies)
- when you are sure with your rules, go in prod step by step (switch per switch)
- when you have finished and everyone is production, and you don't see all machines taking the default permit rule, change this default rule in deny mode.
you've done.
if you have never done it, do some labs for testing otherwise it will be a nightmare to troubleshoot something you don't know.
thanks
PS: please don't forget to rate and mark as correct answer if this solved your issue
07-14-2016 06:13 PM
Ok, to tell you the truth, is there anyway I can chat with you on the setting up of this 802.1x authentication?
I have some old cisco equipment.
Can guide me on this setup as I really have no idea at all?
07-14-2016 07:36 PM
You can send me pm if you want. Starting a dot1x project from scratch is more than just configuring port switch.
What type of authentication you want for dot1x:
- user/password = called MSCHAPv2
- certificate = called EAP-TLS
on certificate you can use machine and/or user certificate.
Do you have an Active Directory server? Does it have certificate services installed ?
there is 1 more authentication to consider that's MAB (Mac Address Bypass) that means you need to get all printers mac address.
You really need to think first to authentication method. Then you need to do inventory of all devices that will be authenticated by mac address (all devices connected on network that are not supporting dot1x authentication)
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-14-2016 07:52 PM
Hi!
In the current client setup, there is a login AD to authenticate usernames and passwords
There is also a GPO, where laptops are connected to the wifi using a certificate.
My boss wants to setup a system where when the laptop is connected, it will auto authenticate it. Let's say this is a company laptop and connected to the AD, then it will have access to network resources using one vlan.
If a laptop that is used by a non-client, then it will will have access using another vlan.
Are these details sufficient? Is there anything else you would like to know?
07-14-2016 08:33 PM
If you have already an AD I will recommend the use of NPS.
you will need to configure a vlan "push" for authenticated devices (dot1x and mab) and define a vlan as default that will be your "guest" vlan. By default if not authenticated the radius is pushing a deny.
You have a Microsoft link that can help you:
https://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-14-2016 08:40 PM
I will not be touching the client's network environment and so I am going to simulate a network by creating an AD and then setup the 802.1x authentication
07-14-2016 08:47 PM
Yes for sure and if you have issues you can pm me
07-14-2016 06:10 PM
The Cisco ACS or ISE, are they paid softwares? I also have little knowledge using Linux.
07-14-2016 07:27 PM
Yes there are paid software.
For free you can use Windows NPS as it is included on windows server.
On Linux based you have freeradius
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide