11-21-2013 03:46 PM - edited 03-10-2019 09:07 PM
With Javier Henderson
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to configure and troubleshoot 802.1X.
802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access, and apply traffic policy, based on user or machine identity. During this event, Javier Henderson will answer all your questions regarding 802.1X configuration and troubleshooting.
Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.
Remember to use the rating system to let Javier know if you have received an adequate response.
Javier might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security, sub-community AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 13, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
12-02-2013 03:55 PM
Hi Javier,
Can you share a basic 802.1X configuration? thank you for your help.
John
12-03-2013 05:12 AM
A basic 802.1X configuration follows:
aaa new-model
aaa authentication dot1x default group radius
!
dot1x system-auth-control
!
interface gigabitethernet 1/1
switchport mode access
dot1x port-control auto
!
radius-server host 10.1.2.3 key cisco123
12-03-2013 04:52 PM
Javier,
There are some documents that have contradicting 802.1X configuration commands. Can you please clarify this for me? Appreciate it.
Thank you,
Henry
12-06-2013 07:01 AM
The syntax of 802.1X configuration commands changed after IOS 12.2(46), to accommodate new authentication options.
The old syntax is still permissible, but deprecated and does not appear on the context-sensitive help menus.
Javier Henderson
Cisco Systems
12-04-2013 01:16 AM
12-07-2013 08:00 AM
Mahmoud,
It would be helpful to look at the output of "debug radius" and "debug dot1x all" (both turned on together at the same time).
Javier Henderson
Cisco Systems
12-04-2013 03:41 AM
Hi Javier,
wondering how would you recommend to tackle the problem of CUCM not being able to provide certificate revocation information for LCSs of IP phones, which could be used in an fully automated manner by an 802.1x environment to validate that a certificate being presented for authentication is valid in every sence (including revocation), and that that phone is in fact allowed to connect to the voice VLAN?
Thanks,
Holger
12-06-2013 07:08 AM
Holger,
I recommend that you open a TAC case with the voice team, since the configuration need centers around the CUCM product, and 802.1X is just incidental in this case.
Javier Henderson
Cisco Systems
12-10-2013 04:38 PM
hi Javier,
Thank you for your help. I have another question for you. Can users be assigned a specific VLAN in 802.X deployments?
John
12-10-2013 04:46 PM
Hi John,
Using 802.1X with VLAN Assignment
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
12-11-2013 07:03 AM
John,
It is indeed posible, the RADIUS server can assign a VLAN after the user has successfully authenticated.
For this to happen, network authorization must be configured on the switch, for example:
aaa authorization network default group radius
Then the RADIUS server has to be configured to send three Attribute/Value pairs:
[64] Tunnel Type needs to be VLAN
[65] Tunnel Medium Type needs to be 802
[81] Tunnel Private Group ID needs to be the name of the VLAN on the switch
Javier Henderson
Cisco Systems