cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
0
Helpful
1
Replies
Highlighted
Beginner

Wired 802.1X with custom authentication list - no "default"

Hi,

 

I do not want to use, authentication list named "default" for 802.1x authentication. I want to use my own custom list.

 

For example for ssh login I use - 

 

aaa new-model

 

radius server nps01
   address ipv4 172.16.245.11 auth-port 1812 acct-port 1813
   key test123

 

aaa group server radius nps-servers
    server name nps01

 

aaa authentication login my-ssh-login group nps-servers local
aaa authorization exec my-ssh-autho group nps-servers local

line vty 0 4
  authorization exec my-ssh-autho
  login authentication my-ssh-login
  transport input ssh

 

But for 802.1x -

 

I must write 

 

aaa authentication dot1x default group nps-servers

aaa authorization network default group nps-servers

 

But I do not want to use this default list, I want to use my own custom named list like SSH, for example -

 

aaa authentication dot1x auth-dot1x group nps-servers
aaa authorization network autho-dot1x group nps-servers

 

But it does not work, as expected. I need to bind these list with 802.1x process. And I do not know if it is possible or what are the commands. As in for SSH access, I have bind them under vty lines.

 

All the Cisco's documentation refers to this default list. For 802.1x, is it possible to use a custom list?

 

Regards,

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Wired 802.1X with custom authentication list - no "default"

This is only possible when using IBNS 2.0. Here is snippet, but suggest going through wired guide.

policy-map type control subscriber PORT-AUTH-POLICY-I
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list auth-dot1x authz-list autho-dot1x priority 10
20 authenticate using mab aaa authc-list auth-dot1x authz-list autho-dot1x priority 20

Accounting still needs to use 'default' even with IBNS 2.0.

1 REPLY 1
Cisco Employee

Re: Wired 802.1X with custom authentication list - no "default"

This is only possible when using IBNS 2.0. Here is snippet, but suggest going through wired guide.

policy-map type control subscriber PORT-AUTH-POLICY-I
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list auth-dot1x authz-list autho-dot1x priority 10
20 authenticate using mab aaa authc-list auth-dot1x authz-list autho-dot1x priority 20

Accounting still needs to use 'default' even with IBNS 2.0.