Solved: Re: The authentication manager

Jose Pablo · ‎08-26-2014

Hi,

I'm trying to config a switch WS-C2960+24PC-L with IOS 15.0(2)SE5 and C2960-LANBASEK9-M to use 802.1x in my network but when I type the following commands the IOS doesn't recognize the interface commands and I can't complete the settings:

Router# configure terminal
Router(config)# dot1x system-auth-control
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius
Router(config)# interface fastethernet2/1
Router(config-if)# switchport mode access
Switch(config-if)# authentication port-control auto (or dot1x port-control auto)
Switch(config-if)# authentication host-mode multihost 
Router(config-if)# dot1x pae authenticator
Router(config-if)# end

Source: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/config-ieee-802x-pba.html#GUID-C11588CB-31B6-4CD9-9E74-CF2199FB1807

I've used the same commands in other switch with IOS 12.x and I don't have any problem to complete the settings so.... somebody know if:

* Should I use others commands to activate this feature in this IOS?

* Do I need to use other IOS?

Thanks in advance,

Karsten Iwen · ‎08-26-2014

I assume that you forgot to paste in the following command:

switchport mode access

The "authentication ..." commands won't show up when the port is still in dynamic access/trunk mode. Only after you configure the port statically to be an access-port, these commands are available.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

mohanak · ‎08-26-2014

The authentication manager commands in Cisco IOS Release 12.2(50)SE or later	The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier	Description
authentication control-direction { both \| in}	dot1x control-direction { both \| in}	Enable 802.1x authentication with the wake-on-LAN (WoL) feature, and configure the port control as unidirectional or bidirectional.
authentication event	dot1x auth-fail vlan dot1x critical (interface configuration)   dot1x guest-vlan6	Enable the restricted VLAN on a port. Enable the inaccessible-authentication-bypass feature. Specify an active VLAN as an 802.1x guest VLAN.
authentication fallback fallback-profile	dot1x fallback fallback-profile	Configure a port to use web authentication as a fallback method for clients that do not support 802.1x authentication.
authentication host-mode [ multi-auth \| multi-domain \| multi-host \| single-host]	dot1x host-mode { single-host \| multi-host \| multi-domain}	Allow a single host (client) or multiple hosts on an 802.1x-authorized port.
authentication order	mab	Provides the flexibility to define the order of authentication methods to be used.
authentication periodic	dot1x reauthentication	Enable periodic re-authentication of the client.
authentication port-control { auto \| force-authorized \| force-un authorized}	dot1x port-control { auto \| force-authorized \| force-unauthorized}	Enable manual control of the authorization state of the port.
authentication timer	dot1x timeout	Set the 802.1x timers.
authentication violation { protect \| restrict \| shutdown}	dot1x violation-mode { shutdown \| restrict \| protect}	Configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
show authentication	show dot1x	Display 802.1x statistics, administrative status, and operational status for the switch or for the specified port. authentication manager: compatibility with earlier 802.1x CLI commands

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#concept_6275D339A9074AC0BB06F872D7A54FBB

Jose Pablo · ‎08-26-2014

Hi mohanak,

This command (new or old commands) doesn't appear in my IOS.

I type the following:

   test(config)#
   test(config)#aaa new-model
   test(config)#aaa group server radius RADIUS_ACCESS_CONTROL
   test(config-sg-radius)# server xxx.xx.xx.xx auth-port 1812 acct-port 1813
   test(config-sg-radius)# exit
   test(config)#aaa authentication dot1x default group RADIUS_ACCESS_CONTROL
   test(config)#aaa authorization network default group RADIUS_ACCESS_CONTROL
   test(config)#
   test(config)#dot1x system-auth-control
   test(config)#int fa0/1

but in this point, when I'm configuring the interfaces the switch hasn't got the commands:

test(config-if)#aut?
auto

   test(config-if)#dot?
   % Unrecognized command
   test(config-if)#d?
   dampening         default delay description
   down-when-looped duplex

test(config-if)#

What am I doing wrong?

Karsten Iwen · ‎08-26-2014

I assume that you forgot to paste in the following command:

switchport mode access

The "authentication ..." commands won't show up when the port is still in dynamic access/trunk mode. Only after you configure the port statically to be an access-port, these commands are available.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

Jose Pablo · ‎08-26-2014

No, I really forgot this command.

Thanks,

abdussalam.ansari · ‎11-19-2014

Thanks..this helped me too. :)

Sinaga · ‎11-03-2017

Hello friends, I'm doing an 802.1X authentication implementation with a server radius using multi-host mode. for server radius, I use windows server 2008 R2 Enterprise with installed roles like AD DS, AD CS, DNS Server, DHCP Server, Network Policy and Access Services (NPS). I use PEAP -MsChapV2 method. for authentication when successfully will be redirected to vlan 10, and if failed will be directed to vlan 30. for authenticator and supplicant switches, I use Cisco Catalyst 2960-CX series. network topology: 3 clients --- g0/2, g0/3, g0/4 --- suplicant switch (switch2) --- g0/1 (supplicant switch) to g0/3 --- switch authenticator (switch1) - g0/1 - server radius. script authenticator: Switch1#sh run Building configuration... Current configuration : 3391 bytes ! ! Last configuration change at 06:17:02 UTC Fri Nov 3 2017 ! NVRAM config last updated at 06:17:09 UTC Fri Nov 3 2017 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting network default start-stop group radius ! ! ! ! ! ! aaa session-id common system mtu routing 1500 ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3753304576 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3753304576 revocation-check none rsakeypair TP-self-signed-3753304576 ! ! crypto pki certificate chain TP-self-signed-3753304576 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33373533 33303435 3736301E 170D3137 31303235 30373031 31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353333 30343537 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C5DB 3CB9DFF2 77BDF4BA 5A9A2842 B71574A0 58FC948F EF638567 64FCCDC0 F842FB87 D1A7509F CF178E66 81578924 AA24C583 F6F82921 898DA3A5 826F81B5 4DB19C29 35ECE681 D8A60EFF 2587AA24 F87A606D B1645B14 8F8CCBA5 2441947C 2F646F38 AB657A8D 2E2A7EED F716FF61 147A875D 654C2180 3B6C5789 3618C7FE BCF30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 147771B2 F7F18FB4 1E7361EF E18B497D DEDDD572 CC301D06 03551D0E 04160414 7771B2F7 F18FB41E 7361EFE1 8B497DDE DDD572CC 300D0609 2A864886 F70D0101 05050003 81810085 2E8424AF 2FE7AEFC 74D07E7C BE1E141F 79F2E7EC 263877AE F6532F13 4D069CDA 80C7A219 8AEACB31 443CC054 9466502F 40317CF6 4D5F7409 D05590CE D74E29C4 F0A95E69 D4B26372 0086C7E9 14A37DBE 3DE0BBB7 355DF39B 5169479C 24BE990B 91E13BEE 99C46D24 1A00CFDC 0D5C60A0 2BEEA481 0C60152E 49A59BCC 0E7D62 quit dot1x system-auth-control ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 switchport mode access ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 switchport mode access authentication event fail action authorize vlan 30 authentication event no-response action authorize vlan 30 authentication host-mode multi-host authentication port-control auto dot1x pae authenticator ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface Vlan1 ip address 10.123.10.250 255.255.255.0 ! interface Vlan10 ip address 172.16.10.250 255.255.255.0 ip helper-address 10.123.10.10 ! interface Vlan30 ip address 172.16.30.250 255.255.255.0 ip helper-address 10.123.10.10 ! ip forward-protocol nd ip http server ip http secure-server ! ! ! ! ! ! radius server host address ipv4 10.123.10.10 auth-port 1812 acct-port 1813 key 12345 ! ! line con 0 line vty 5 15 ! end ============================================================================ script switch supplicant: Switch2#sh run Building configuration... Current configuration : 973 bytes ! ! Last configuration change at 06:17:51 UTC Fri Nov 3 2017 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! no aaa new-model system mtu routing 1500 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server ip http secure-server ! ! ! ! ! line con 0 line vty 5 15 ! end Switch# i found the problem, when my authenticator connect to switch supplicant then the authentication notification does not appear to client. direct authentication failed. from my configuration above, is there anything wrong or need to be added? I beg for his help, thank you very much.

How can I configure a 802.1x in a switch 2960 with IOS 15.0.2?

ISE Webinars

CiscoISE on YouTube