Tiago,

I am working on a project to test the implementation of 802.1x on a .mil network.  Our intent is to authenticate devices using software certificates issued from the RADIUS server.  We want to dynamically assign the switch port to a VLAN based on the authentication.  By policy, we configure the native vlan to be something other than vlan1 and we shutdown vlan1.

We would like to be able to change the native/management vlan to be something other than vlan1.  In other words, have all ports assigned to a vlan other that vlan1 until a device connects and is authenticated to the appropriate vlan.

Is this something that we can do?

Regards,

John

Hi John,

Yes, you can do that.

On 3750 you can take a look at the feature called 802.1x Authentication with VLAN Assignment:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1289244.

Basically, you define on the RADIUS server what VLAN each User (or User Group) you want to assign, then when the user connects the PC to the port, it authenticates and the RADIUS server returns the required attributes for VLAN assignament to the switch. The switch interprets them and changes the switchport to the configured VLAN.

The switch will be a simple man-in-the middle during authentication and only processes the RADIUS Reject (if authe fails) or RADIUS Accept (if authe passes).

The authentication methods like EAP-FAST must be agreed between the RADIUS server (AAA Server) and the PC (AAA supplicant).

If you want to authenticate users based on certificates you have to use either EAP-FAST, EAP-TLS or EAP-TTLS.

The most widely spread (which comes by default on WinXP machines) authentication method is PEAP which uses MS-CHAP (username/password) to authenticate users.

HTH,

Tiago

Tiago,

The functionality you described is exactly what I am attempting to do, with one adjustment.  I want to change the native vlan (default vlan assignment) on all of the switch ports.  I do not want vlan 1 to be active.  I want all of the ports to start out in vlan 5 instead of vlan 1.  Will this work?

Thanks,

John

Hi,

You can do that simply by using the commands "switchport mode access" and "switchport access vlan 5" on your switchports.

This will make your switchports as access ports (not trunks) and the default vlan will be vlan 5.

HTH,

Tiago

Tiago,

I feel like we are moving in the right direction.  We have tried changing the native vlan from vlan1 to vlan5 using the commands as you indicated.  However, when we change the native vlan and insert the "switchport mode access" and "switchport access vlan5" commands for the ports, the EAP-FAST functionality stops working and ports are no longer auto assigned to the correct vlan.

Can you please provide more detail?

John

Hi John,

Can you please elaborate a bit more what you mean by the EAP-FAST functionality stops working?

Do you get any error? Do you get any failed authnetication?

What is the current configuration of your switch? Which switchport are you using to test?

How are you verifying when it "works" and when it "doesn't work"?

HTH,

Tiago