Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

RADIUS and dot1x questions

jason
Level 1
Level 1

‎07-30-2010 11:31 AM - edited ‎03-10-2019 05:17 PM

Hello,

I'm working on a test rollout of 802.1x. I have a few (hopefully quick) questions that I can't seem to find in the docs...

1) Is there a way to configure a switch to use two separate RADIUS servers, one for auth/authen and one for accounting?

2) Is there any link to the different software versions and trains, both IOS and CatOS, showing the minimum versions that have guest VLAN and authFail VLAN?

Thanks,

Jason Antman

Rutgers University

Labels:
0 Helpful
2 Replies 2

jason
Level 1
Level 1

‎07-30-2010 11:34 AM

As I'm sure someone is going to ask, I'm going to be running on a number of different switches, but the bulk will be either 3550 or better running IOS 12.1(13)EA1a or 2948G's running CatOS .

0 Helpful

Elly Bornstein
Cisco Employee
Cisco Employee
In response to jason

‎07-30-2010 03:27 PM

2948G:

Running most recent software would be limited to the features in this configuration guide:

dot1x -

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/8021x.html

aaa -

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/authent.html

Unfortunately CatOS does not have a way to configure server groups which is what would be necessary to customize separate destinations for authentication versus authorization.

Furthermore in the dot1x guide there is no guest vlan nor auth fail features, only vlan assignment via Radius. Could use this to assign particular users to a restricted vlan. I would definitely read the section on 802.1x VLAN assignment Using a RADIUS server, if you are interested (in in the dot1x link above).

3550 -

Looks like guest vlan was introduced around 12.1(14)EA1,

Looks like auth fail was introduced around 12.2(25)SED, see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_sed/release/notes/OL8114.html#wp94866

Looks like you will have to upgrade some of your older your 3550s.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents