Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
5
Replies

RADIUS server and 802.1x on switch Cisco Packet Tracer

maksunity
Level 1
Level 1

‎04-15-2024 11:20 PM

Good afternoon, Cisco community. I faced a problem when configuring RADIUS server using switch as authenticator. When using router everything was not complicated and worked, example below.

maksunity_0-1713247899286.png

maksunity_2-1713247934569.png

But my supervisor said that it is wrong to do it this way and in modern networks it is necessary to do authentication on switch. And that's where the problems started.

Immediately a question on topology, is a router needed if a switch is used to connect to a RADIUS server? What will change from this?

maksunity_3-1713247957777.png

About configuring the switch. I did the following commands:

Interface vlan 1

No shutdown

Ip address 192.168.1.253 255.255.255.255.0

Exit

(ip default-gateway 192.168.1.254) #if a router is still needed in the topology

Interface range Fastethernet 0/1 - 24

Switchport mode access

Switchport access vlan 1

 

With these settings everything still works (you can ping the router from PC2)

maksunity_4-1713247989709.png

Now on to configuring the aaa itself on the switch.

Here are the commands I used:

Aaa new-model

Radius-server host 192.168.88.8 key cisco

aaa authentication dot1x default group radius

dot1x system-auth-control

exit

interface range fastethernet 0/23 – 24

authentication port-control auto

dot1x pae authenticator

exit

copy run startup-config

 

I then added user data (user: root, password: root) to computers 1 and 2, which are connected to ports 23 and 24 respectively. And after that they become unavailable at all, orange. Although it seems that if 802.1x is enabled on them and user data has been added, then the port should allow the computer in question into the network. You can see this in the picture below

maksunity_5-1713248041874.png

Configuring 802.1x on a computer

maksunity_6-1713248065877.png

RADIUS server settings (Services - Radius EAP - EAP-MD5 enable):

maksunity_7-1713248077314.png

 

Which default gateway should I specify for the router or switch? (And if there is no router in the topology, what should I do?)

maksunity_9-1713248122705.png

Also a question what default Gateway to specify in the computer settings if there should be no router in the topology?

maksunity_10-1713248140645.png

Thank you very much in advance, I hope you can help me!

 

P.S. as I have already dug through a lot of cisco documentation and not only, but everything does not work. When configuring 802.1x on the router there were no such problems and everything worked almost immediately.

 

 

 

Labels:
0 Helpful
5 Replies 5

marce1000
VIP
VIP

‎04-15-2024 11:56 PM

 

              - FYI : Community group for Packet Tracer project questions

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

maksunity
Level 1
Level 1
In response to marce1000

‎04-16-2024 12:54 AM

I'm sorry. I wrote where you indicated, but I want to believe that someone here can help with this problem.

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-16-2024 01:37 AM

Couple of things here:

1) You would need the router if there is no direct comms between the switch and the RADIUS server. For instance, if the switch needs to route the RADIUS packets out of the interface 192.168.1.253, then yes the router is needed because the traffic flow would go this way Switch (192.168.1.253) > Router (192.168.1.254) > Router (192.168.88.2) > RADIUS Server (192.168.88.8), and it should return via the same path.

2) On the server configs it is showing the 192.168.1.254 as its default gateway? that should be adjusted to be the 192.168.88.2 which is the router interface in the same VLAN as the server interface.

3) The dot1x config on the PC it is showing MD5 as the authentication type? I think that should be changed to be EAP-PEAP which will rely on username and password for authentication.

4) The RADIUS port shown on the server configs is 1645, maybe the switch is using port 1812?, you can either set the port on the switch config to be port 1812 or change the port on the server configs to be 1812.

5) The dot1x config you shared seems to be minimum and I think you need to add more commands, please use the below template, maybe not all commands will be supported on PT.

aaa new-model
dot1x system-auth-control

aaa authentication dot1x default group < group name >
aaa authorization network default group < group name >
aaa accounting dot1x default start-stop group < group name >

radius server < server name >
address ipv4 x.x.x.x auth-port 1645 acct-port 1646 (you can use the 1812 and 1813 if you change them on the server config in PT)
key xxxxx

radius-server dead-criteria time 5 tries 3
radius-server deadtime 3

aaa group server radius < group name >
server name < server name >
ip radius source-interface Vlan1

radius-server vsa send authentication
radius-server vsa send accounting

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

interface < interface ID >
switchport mode access
authentication host-mode multi-auth
authentication order dot 1x mab
authentication priority dot1x mab
authentication event fail action next-method
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
authentication event server dead action authorize vlan xx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
spanning-tree portfast

0 Helpful

maksunity
Level 1
Level 1
In response to Aref Alsouqi

‎04-16-2024 03:35 AM

About the first point, there is a direct link between the server and the switch. That is, I should specify the ip address 192.168.1.253 through vlan 1 and specify it as a client to the RADIUS server, and then the router won't be needed, right?

3) in CPT you can't select any other authentication type than MD5, in the YouTube example of similar work it was also used https://www.youtube.com/watch?v=8SlbCPFgVhY.

4)I will check this solution, but in the video above nothing changed either.

5) I need to make the simplest authentication, could you give me an example of a simplified version of your configuration like mine, thanks in advance!

0 Helpful

Aref Alsouqi
VIP
VIP
In response to maksunity

‎04-16-2024 04:12 AM

On the topology you shared, the RADIUS server seems to be on subnet 192.168.88.x and the switch Vlan1 interface is on 192.168.1.x, hence I'd thought the are not on the same subnet.

The configs I pasted was taken from a template I have, I would try to apply all the commands, I wouldn't worry much if any of the advance commands wouldn't be supported by PT, for instance the RADIUS VSA, attributes, dead server detection, those wouldn't be essentials in your case.

0 Helpful
Customers Also Viewed These Support Documents