Guys am i missing a global config here? I have the following commands on my 2950
aaa authentication dot1x default group radius
radius-server host 18.104.22.168 auth-port 1812 string CiscoSwitch
dot1x port-control auto
even if i put the port into port-control force-unauthorised when i plug my laptop in the port just comes up as normal. I have set the radius side up on the raduis server but the logs dont see any requests coming from the switch. As i have this in a test environment i am able to plug the radius server directly into the switch and the switch can directly ping the server. I feel i am missing a global command to switch it on somehow, the cisco documentation just says to enable aaa new-model and set the aaa authentication and it should work but it doesnt. can anybody help? even if i have to enable something in Microsoft (on my laptop) the reason for wanting this is to stop someone from jacking into publicly accessible ports so i want the switch to either authenticate or shut down.
Thats about all the config that will go on the switch. There are some dot1x debugging commands that might help if you have not tried that already. I would suspect the problem is in the Radius server configuration. If you post your email address I'll send you a doc I got from TAC when I was setting it up. I would post it but it's to big to attach.
Thanks, please send to firstname.lastname@example.org
I found a dot1x system-auth-control global config command but when i use it it tells me all my ports must be in switchport mode access, i have trunk ports.
Trunk portIf you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.
Dynamic portsA port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed
command will tell you something which is going wrong.
Thanks but i have read this information. I dont want to enable 802.1x on trunk ports, but the dot1x system-auth-control command is global. All i want is to enable dot1x port control on the ports i select, it seems that i can only enable it globally which is no good for me as i have trunk ports that i do not want to participate in 802.1x.
try adding the following
aaa authentication default group none
aaa auth dot1x default group radius
swi mode access
dot1x port-control auto
This will not require that all ports are in access mode.
Thanks everyone, I'm hoping this is sorted. Basically the reason that sys-auth would not go in was because some of the ports were left dynamic. After i made them all switchport mode access it took the command and enforced dot1x, i then configured the trunks and it seems to have took the commands ok (although i havent tested the trunk links yet as i have only 1 switch in my lab). Dot1x is working fine now and thanks to Mike Greene's document (cheers for the email mate) i have managed to configure this using x.509 certificates on the radius server and the client so my users dont have to log in twice.
I think basically the issue was that all the ports had to be statically configured as either access/trunk etc for the switch to accept the global command, it did not like them being left unconfigured as dynamic. Then obviously you only put the ports you wish into dot1x port control auto mode.
just a thought if you enable aaa on switch it may requir a management ip address just to ping radius server. if you have already configured than it would be wrong if not than try.
now i would say you need it go through this document and let me know it works.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.