cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
8
Replies

802.1x authentication

cro9uk
Beginner
Beginner

Guys am i missing a global config here? I have the following commands on my 2950

aaa new-model

aaa authentication dot1x default group radius

radius-server host 154.4.10.1 auth-port 1812 string CiscoSwitch

int fa0/1

dot1x port-control auto

even if i put the port into port-control force-unauthorised when i plug my laptop in the port just comes up as normal. I have set the radius side up on the raduis server but the logs dont see any requests coming from the switch. As i have this in a test environment i am able to plug the radius server directly into the switch and the switch can directly ping the server. I feel i am missing a global command to switch it on somehow, the cisco documentation just says to enable aaa new-model and set the aaa authentication and it should work but it doesnt. can anybody help? even if i have to enable something in Microsoft (on my laptop) the reason for wanting this is to stop someone from jacking into publicly accessible ports so i want the switch to either authenticate or shut down.

8 Replies 8

mike-greene
Enthusiast
Enthusiast

Hi,

Thats about all the config that will go on the switch. There are some dot1x debugging commands that might help if you have not tried that already. I would suspect the problem is in the Radius server configuration. If you post your email address I'll send you a doc I got from TAC when I was setting it up. I would post it but it's to big to attach.

HTH

Thanks, please send to p.stevens@sivltd.com

I found a dot1x system-auth-control global config command but when i use it it tells me all my ports must be in switchport mode access, i have trunk ports.

Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed

show dot1x

command will tell you something which is going wrong.