Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
4
Helpful
1
Replies

Migration from HP to Cisco 802.1x

UniWAQ
Level 1
Level 1

‎07-27-2017 01:08 AM - edited ‎03-11-2019 12:53 AM

Hi Team, 

I want to migrate HP 2510 to Cisco 2900 series . I need your support regarding 802.1x implementation for Cisco  2960 and we have Microsoft NSP for dot1x.   Could anyone guide me further about it and I prepared the following template :-

Existing HP Procure Configuration

aaa authentication port-access eap-radius
aaa accounting network start-stop radius
radius-server key rad4procurve
radius-server host 10.32.10.1
port-security 1 learn-mode port-access
port-security 2 learn-mode port-access
port-security 3 learn-mode port-access
port-security 4 learn-mode port-access

aaa port-access authenticator 1-20
aaa port-access authenticator 1 reauth-period 7200
aaa port-access authenticator 1 unauth-vid 12
aaa port-access authenticator 1 client-limit 2
aaa port-access authenticator 2 reauth-period 7200
aaa port-access authenticator 2 unauth-vid 12
aaa port-access authenticator 2 client-limit 2
aaa port-access authenticator 3 reauth-period 7200
aaa port-access authenticator 3 unauth-vid 12
aaa port-access authenticator 3 client-limit 2
aaa port-access authenticator 4 reauth-period 7200
aaa port-access authenticator 4 unauth-vid 12
aaa port-access authenticator 4 client-limit 2

aaa port-access authenticator active

Cisco 2960 Configuration 


radius-server host 10.32.10.1 key rad4procurve
address ipv4 10.32.10.1 auth-port 1812 acct-port 1813
timeout 10
retransmit 5

!
ip radius source-interface Loopback0


aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE_GROUP

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 65
radius-server deadtime 1


authentication mac-move permit
authentication logging verbose
access-session template monitor

!
mab logging verbose
!
!
dot1x system-auth-control
dot1x logging verbose

device-sensor accounting
device-sensor notify all-changes
!
!
Ip device tracking
ip device tracking probe delay 10
!

interface range gigabitEthernet XYZ
description XXXXX
switchport access vlan XXXX
switchport mode access
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation replace
authentication open
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 5
dot1x timeout ratelimit-period 300
no shut
!
################################ dot1x######################

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎07-27-2017 05:15 AM

Hi,

The command radius-server is being depreciated, you may want to define your radius servers as

radius server RAD1
 address ipv4 10.32.10.1 auth-port 1812 acct-port 1813
 key rad4procurve

You've referenced a radius group in the aaa global commands but not defined the group, you would need to use the following command.

aaa group server radius ISE_GROUP
 server name RAD1

You probably also want the following interface level commands

authentication event fail action next-method

I think you've got one of the commands slightly wrong - authentication violation replace, this should be:-

authentication violation {protect | restrict | shutdown}

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents