Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1376
Views
0
Helpful
1
Replies

Wired 802.1X with custom authentication list - no "default"

Go to solution
ssajiby2k
Level 1
Level 1

‎08-12-2019 01:10 PM - edited ‎08-12-2019 01:13 PM

Hi,

 

I do not want to use, authentication list named "default" for 802.1x authentication. I want to use my own custom list.

 

For example for ssh login I use - 

 

aaa new-model

 

radius server nps01
   address ipv4 172.16.245.11 auth-port 1812 acct-port 1813
   key test123

 

aaa group server radius nps-servers
    server name nps01

 

aaa authentication login my-ssh-login group nps-servers local
aaa authorization exec my-ssh-autho group nps-servers local

line vty 0 4
  authorization exec my-ssh-autho
  login authentication my-ssh-login
  transport input ssh

 

But for 802.1x -

 

I must write 

 

aaa authentication dot1x default group nps-servers

aaa authorization network default group nps-servers

 

But I do not want to use this default list, I want to use my own custom named list like SSH, for example -

 

aaa authentication dot1x auth-dot1x group nps-servers
aaa authorization network autho-dot1x group nps-servers

 

But it does not work, as expected. I need to bind these list with 802.1x process. And I do not know if it is possible or what are the commands. As in for SSH access, I have bind them under vty lines.

 

All the Cisco's documentation refers to this default list. For 802.1x, is it possible to use a custom list?

 

Regards,

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-13-2019 03:05 PM

This is only possible when using IBNS 2.0. Here is snippet, but suggest going through wired guide.

policy-map type control subscriber PORT-AUTH-POLICY-I
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list auth-dot1x authz-list autho-dot1x priority 10
20 authenticate using mab aaa authc-list auth-dot1x authz-list autho-dot1x priority 20

Accounting still needs to use 'default' even with IBNS 2.0.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-13-2019 03:05 PM

This is only possible when using IBNS 2.0. Here is snippet, but suggest going through wired guide.

policy-map type control subscriber PORT-AUTH-POLICY-I
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list auth-dot1x authz-list autho-dot1x priority 10
20 authenticate using mab aaa authc-list auth-dot1x authz-list autho-dot1x priority 20

Accounting still needs to use 'default' even with IBNS 2.0.

0 Helpful
Customers Also Viewed These Support Documents