cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3932
Views
20
Helpful
15
Replies

Ask the Expert: Configuring and Troubleshooting 802.1X

ciscomoderator
Community Manager
Community Manager

            Read the bioWith Javier Henderson

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to configure and troubleshoot 802.1X. 

802.1X is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity, control VLAN access, and apply traffic policy, based on user or machine identity. During this event, Javier Henderson will answer all your questions regarding 802.1X configuration and troubleshooting.

Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications. 

Remember to use the rating system to let Javier know if you have received an adequate response. 

Javier might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security,  sub-community AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 13, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

15 Replies 15

John Ventura
Level 1
Level 1

Hi Javier,

Can you share a basic 802.1X configuration?  thank you for your help.

John

A basic 802.1X configuration follows:

aaa new-model

aaa authentication dot1x default group radius

!

dot1x system-auth-control

!

interface gigabitethernet 1/1

switchport mode access

dot1x port-control auto

!

radius-server host 10.1.2.3 key cisco123

hhtyson11
Level 1
Level 1

Javier,

There are some documents that have contradicting 802.1X configuration commands.  Can you please clarify this for me?  Appreciate it.

Thank you,

Henry

The syntax of 802.1X configuration commands changed after IOS 12.2(46), to accommodate new authentication options.

The old syntax is still permissible, but deprecated and does not appear on the context-sensitive help menus.

Javier Henderson

Cisco Systems

hi Javier,

could you please advise on this case:

https://supportforums.cisco.com/thread/2254843

Mahmoud,

It would be helpful to look at the output of "debug radius" and "debug dot1x all" (both turned on together at the same time).

Javier Henderson

Cisco Systems

holger2meyer
Level 1
Level 1

Hi Javier,

wondering how would you recommend to tackle the problem of CUCM not being able to provide certificate revocation information for LCSs of IP phones, which could be used in an fully automated manner by an 802.1x environment to validate that a certificate being presented for authentication is valid in every sence (including revocation), and that that phone is in fact allowed to connect to the voice VLAN?

Thanks,

Holger

Holger,

I recommend that you open a TAC case with the voice team, since the configuration need centers around the CUCM product, and 802.1X is just incidental in this case.

Javier Henderson

Cisco Systems

John Ventura
Level 1
Level 1

hi Javier,

Thank you for your help.  I have another question for you.  Can users be assigned a specific VLAN in 802.X deployments? 

John

Hi John,

Using 802.1X with VLAN Assignment

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html#wp1049882

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

John,

It is indeed posible, the RADIUS server can assign a VLAN after the user has successfully authenticated.

For this to happen, network authorization must be configured on the switch, for example:

aaa authorization network default group radius

Then the RADIUS server has to be configured to send three Attribute/Value pairs:

[64] Tunnel Type needs to be VLAN

[65] Tunnel Medium Type needs to be 802

[81] Tunnel Private Group ID needs to be the name of the VLAN on the switch

Javier Henderson

Cisco Systems

holger2meyer
Level 1
Level 1