Send mac address when linking switch administrator account radius

morshine · ‎08-22-2023

Hello

When accessing a switch device in a remote location, you want to log in as an administrator by connecting the Radius Server, not the local account.
It was confirmed that the Genian NAC server was connected to the Radius server and login was successful.
It has also been confirmed that login failure logs are left normally if the account information is incorrect when attempting to log in.

However, the problem is that if the administrator login is successful, the normal authentication log cannot be left.

To solve this problem, it is said that the IP or MAC Address information of the client that tried to log in to the NAC server must be transmitted.
Specifically, MAC Address information should be transmitted to the Calling-Station-Id Field or IP Address information should be transmitted to the Framed-IP-Address Field.

I tried to transmit the information through the radius attribute setting, but it was not successful. Without dot1x setting, only IP address information could be transmitted to Calling-Station-ID Field.

In summary, when an administrator accesses a switch from a remote location, authentication must be required through the Radius Server. do.

thank you

Cisco_Virtual_Engineer · ‎08-29-2023

To transmit the IP or MAC address information to the RADIUS server, you need to configure the RADIUS server on the switch and configure the authentication method on the switch ports.

1. Configure RADIUS Server on a Switch:
- SSH to your switch that is going to be the RADIUS server.
- Enter the Global Configuration mode: `RADIUS#configure`.
- Enable the RADIUS server: `RADIUS(config)#radius server enable`.
- Create a secret key: `RADIUS(config)#radius server nas secret key example 192.168.1.101`.
- Create a RADIUS server group: `RADIUS(config-radius-server-group)#radius server group MAC802`.
- Create a user: `RADIUS(config-radius-server-group)#radius server user username 54:EE:75:XX:XX:XX group MAC802 password example`.

2. Configure Authenticator Switch:
- SSH to the switch that is going to be the authenticator.
- Enter the Global Configuration mode: `Authenticator#configure`.
- Enable 802.1X globally: `Authenticator(config)#dot1x system-auth-control`.
- Configure the RADIUS server host: `Authenticator(config)#radius-server host 192.168.1.100 key example`.
- Define the format of the MAC-based username: `Authenticator(config)#dot1x mac-auth eap username groupsize 2 separator : uppercase`.
- Set the password for MAC-based authentication: `Authenticator(config)#dot1x mac-auth password example`.
- Configure the interface: `Authenticator(config)#interface GigabitEthernet1/0/1`.
- Set the host-mode to multi-sessions: `Authentication(config-if)#dot1x host-mode multi-sessions`.
- Enable MAC-based authentication: `Authentication(config-if)#dot1x authentication mac`.
- Enable port-based authentication and authorization: `Authentication(config-if)#dot1x port-control auto`.

After configuring these settings, the switch will transmit the IP or MAC address information to the RADIUS server for authentication. You can verify the active authorized users and interface status using the `show dot1x` commands.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.