Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
8
Replies

802.1x authentication

cro9uk
Level 1
Level 1

‎04-20-2006 05:22 AM - edited ‎03-03-2019 02:53 AM

Guys am i missing a global config here? I have the following commands on my 2950

aaa new-model

aaa authentication dot1x default group radius

radius-server host 154.4.10.1 auth-port 1812 string CiscoSwitch

int fa0/1

dot1x port-control auto

even if i put the port into port-control force-unauthorised when i plug my laptop in the port just comes up as normal. I have set the radius side up on the raduis server but the logs dont see any requests coming from the switch. As i have this in a test environment i am able to plug the radius server directly into the switch and the switch can directly ping the server. I feel i am missing a global command to switch it on somehow, the cisco documentation just says to enable aaa new-model and set the aaa authentication and it should work but it doesnt. can anybody help? even if i have to enable something in Microsoft (on my laptop) the reason for wanting this is to stop someone from jacking into publicly accessible ports so i want the switch to either authenticate or shut down.

Labels:
0 Helpful
8 Replies 8

mike-greene
Level 4
Level 4

‎04-20-2006 09:37 AM

Hi,

Thats about all the config that will go on the switch. There are some dot1x debugging commands that might help if you have not tried that already. I would suspect the problem is in the Radius server configuration. If you post your email address I'll send you a doc I got from TAC when I was setting it up. I would post it but it's to big to attach.

HTH

0 Helpful

cro9uk
Level 1
Level 1
In response to mike-greene

‎04-20-2006 10:58 PM

Thanks, please send to p.stevens@sivltd.com

I found a dot1x system-auth-control global config command but when i use it it tells me all my ports must be in switchport mode access, i have trunk ports.

0 Helpful

kamlesh.sharma
Level 3
Level 3
In response to cro9uk

‎04-21-2006 12:34 AM

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed

show dot1x

command will tell you something which is going wrong.

0 Helpful

cro9uk
Level 1
Level 1
In response to kamlesh.sharma

‎04-21-2006 01:55 AM

Thanks but i have read this information. I dont want to enable 802.1x on trunk ports, but the dot1x system-auth-control command is global. All i want is to enable dot1x port control on the ports i select, it seems that i can only enable it globally which is no good for me as i have trunk ports that i do not want to participate in 802.1x.

0 Helpful

ekiriakos
Level 1
Level 1
In response to cro9uk

‎04-21-2006 01:29 PM

try adding the following

aaa authentication default group none

aaa auth dot1x default group radius

dot1x system-auth-control

int f0/x

swi mode access

dot1x port-control auto

This will not require that all ports are in access mode.

HTH

E.

0 Helpful

cro9uk
Level 1
Level 1
In response to ekiriakos

‎04-22-2006 08:25 AM

Thanks everyone, I'm hoping this is sorted. Basically the reason that sys-auth would not go in was because some of the ports were left dynamic. After i made them all switchport mode access it took the command and enforced dot1x, i then configured the trunks and it seems to have took the commands ok (although i havent tested the trunk links yet as i have only 1 switch in my lab). Dot1x is working fine now and thanks to Mike Greene's document (cheers for the email mate) i have managed to configure this using x.509 certificates on the radius server and the client so my users dont have to log in twice.

I think basically the issue was that all the ports had to be statically configured as either access/trunk etc for the switch to accept the global command, it did not like them being left unconfigured as dynamic. Then obviously you only put the ports you wish into dot1x port control auto mode.

0 Helpful

kamlesh.sharma
Level 3
Level 3

‎04-22-2006 12:54 AM

hi,

just a thought if you enable aaa on switch it may requir a management ip address just to ping radius server. if you have already configured than it would be wrong if not than try.

HTH

0 Helpful

kamlesh.sharma
Level 3
Level 3

‎04-22-2006 12:58 AM

now i would say you need it go through this document and let me know it works.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swadmin.htm#35135

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card