cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5433
Views
3
Helpful
11
Replies

Setup Radius on my Cisco 9200 switch.

gxs
Level 1
Level 1

I would like to setup my new switch 9200L as a Radius client. Thanks,

11 Replies 11

Config for dot1x or for admin? 

Thanks for your reply.

This will be for both. 

Thanks,

Hello,

 Here is a basic setup for radius in a switch 9200. 

!
aaa new-model
!
!
!
!
aaa group server radius <group_name>
server name <server name>
server name <server name>
!


aaa authentication dot1x default group <group_name>
aaa authorization network default group <group_name>
aaa accounting update newinfo periodic 120
aaa accounting dot1x default start-stop group <group_name>

!
!
aaa server radius dynamic-author
client <server IP> server-key 6 <server key>
client <server IP> server-key 6 <server key>
client <server IP> server-key 6 <server key>
!
!
dot1x system-auth-control
dot1x critical eapol block
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5
!
radius server <server name>
address ipv4 <server IP> auth-port 1812 acct-port 1813
automate-tester username teste ignore-acct-port idle-time 5
key 6 <key>
!
radius server <server name>
address ipv4 <server IP> auth-port 1812 acct-port 1813
automate-tester username test ignore-acct-port idle-time 5
key 6 <key>
!
!

!
interface GigX/X
switchport access vlan XX
switchport mode access
switchport voice vlan XX
device-tracking attach-policy XX
no logging event link-status
no logging event power-inline-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan XX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree guard root
service-policy output output-q
!

Important to mention that the "server-key" needs to be configured without the type "6" because for the initial config the key-encryption is not available yet. And for "authentication order" I would assume that "dot1x mab" is better in most situations like offices. And this config is "monitor mode" which doesn't provide any protection. It has to be moved to "low impact mode" or "closed mode" later.

@gxs IEEE-802.1X implementations are typically quite complex. Better get a consultant to help you or at least do some training on it. If your RADIUS server is the Cisco ISE, the official SISE training is very good.

will do. 

Thanks for the advice I appreciate it.

Thanks for the info I do appreciate it.

Is this example for both Dot1x and admin radius configuration?

 

This is for dot1x. For admin I would suggest tacacs instead

Thanks for the quick reply.

We're using Pulse PSA appliance as our radius server, will TACACS configuration work with Pulse or does it need to be a Cisco TACACS Server?

It should. TACACS+ is cisco proprietary but TACACS is industry Standard and should work between any device that is capable of speak tacacs.

 

Personally I wouldn’t be so optimistic about TACACS support. It’s not that common on other AAA servers. But perhaps you are fine with RADIUS for Admin authentication. TACACS has advantages if you have different admins with different rights tor the commands on the switch. But if your small team of admins all have the same rights on the networks devices, there is no benefit in using TACACS compared to RADIUS.

Exactly.

For vry (telnet/ssh) auth radius is fine no need tacacs.

@gxs config radius for dot1x is have huge config variety depend on if you have VoIP if you use MAB...etc

So I think it better to close this thread and open separate one for dot1x and list your excat requirements.