cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
808
Views
0
Helpful
6
Replies

could someone give me a example for 6509(set)&802.1x?

jeff.lee
Level 1
Level 1

realize the dynamic vlan(based one username&password),6509's ios is CATOS 7.3,I have searched in cisco.com,but I only find how to do port authen in 6509 with 802.1x,

6 Replies 6

smcquerry
Level 1
Level 1

802.1X from the switch perspective is port authentication, but the VLAN will be assigned based on information returned from the RADIUS server.

The radius server must be configured to return IETF attributes [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID.

The following link describes 802.1X configuration including the assignments of VLANs using 802.1X.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1030203

The following is an article about 802.1X that may also be beneficial. Section 3 describes the configuration of the switch and attributes of the RADIUS server

http://www.informit.com/articles/article.asp?p=29600

could u tell me how to config the 802.1x port on 6509?should config the port as dynamic vlan(set port membership x/x dynamic)such as vmps config?or I config nothing to the 802.1x port?

anything else can help me£¨espesially about he ACS )?

and could u tell me how to config the acs?how to config the relationship between username & vlan name?should I config the usersetup or groupsetup?how can I setup the NT user into ACS GROUP?I install ACS3 in a WIN2K DC

You may want to reference the following for information about configuring ACS to use the Windows database.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494d.html

As for setting up VLAN using users or groups that depends on how you choose to set up the IETF attributes. After you get a database defined, you will need to set up the attributes in the Radius server to return the VLAN settings this could be done on a user basis or a group basis. This document describes the attributes.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018495e.html#473545

Recall from the configuring 802.1X documentation

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029864

that the following parameters must be configured to return the VLAN.

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-Id = VLAN NAME

These are the IETF attributes that you will need to configure for the user or group on the server.

my catos is 7.31,I have these commands in it:

set interface sc0 2 192.168.1.2 255.255.255.0

set radius server 192.168.1.11

set radius key cisco123

set dot1x system-auth-control enable

set port dot1x 3/26 port-control auto

then I can ping 192.168.1.11,but always I failed to authen in a XP NOTEBOOK,I don't know how to debug it in catos,bug I can see the failed attemps in ACS:

just unknown NAS,no username and time

in the process of install ACS,one place I select "ietf radius" but not the "cisco tacacs+ server",and another place I select "win2k username database" but not cisco security database

what can I do now?int acs,I just check the 64,65&81,anything else should I check?

thanks

I found that sometime I can log in with 802.1x,but sometime can't,after my first login successfully,I unplued the cable and plug it into another vlan(at the same time,I change the ip address),in xp,the local connection seems"authenticating",but it doesnot give the chance to input password and username,and after a long time,the local connection has been disabled,I can't enable it,and I found that in the acs's failed attemps,there is the record"username azbycx",but there is no username azbycx,why?

my acs is 3.01,installed pc is win2k chinese version with sp2,its ie is 5.00 with sp2

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a008009462a.shtml

doesnot say acs 3.0x must be installed in english version win2k server

Review Cisco Networking for a $25 gift card