cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

802.1x Wired Authentication on a Cisco switch 3550 With ACS 4.2

10553
Views
10
Helpful
0
Comments

 

Introduction

This Document provides you the basic DOT1X configuration with ACS 4.2 using Radius protocol for Wired authentication.

Prerequisites

  • Switch 3550
  • ACS 4.2

Requirements

Make sure that ACS and Switch are connected with each other.

Components Used

  • Switch 3550
  • ACS 4.2

Configuration on Switch:

##Globally enable radius auth and define Radius server.
Switch(config)# radius-server host 192.168.1.3  key  cisco123

##Enable dot1x functionality
Switch(config)# dot1x system-auth-control

##Configure aaa
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius

##Configure client interfaces for dot1x
Switch(config-if)# switchport mode acces
Switch(config-if)# switchport access vlan <vlan>
Note:  Depending on IOS version you will use one of the two below commands.
Switch(config-if)# authentication port-control auto or Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x timeout quiet-period <secodns to wait after failed attempt>
Switch(config-if)# dot1x timeout tx-period <time to resubmit request>

Configuration on ACS:

Add Switch as a Client on the ACS:

Network Configuration > Add entry AAA client
IP Address:  <IP>
Shared secret:  <key>
Authenticate Using:  Radius (Cisco IOS/PIX 6.0)

 

Network Config.jpg


System Configuration > Global Authentication Setup
Verify ‘Allow EAP-MD5′ is checked
Verify ‘Allow MS-CHAP Version 2 Authentication’ is checked

system config.jpg

 

In order to configure a user, click User Setup on the menu, and complete these steps:
Enter the User information: Network-Admin <username>.
Click Add/Edit.
Enter the Real Name: Network-Admin <descriptive name>.
Add a Description: <your choice>.
Select the Password Authentication: ACS Internal Database.
Enter the Password: ........ <password>.
Confirm the Password: <password>.
Click Submit.

usersetup.jpg

 

Verify

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Enter these commands in order to confirm that your configuration works properly:

show dot1x 
show dot1x summary 
show dot1x interface 
show authentication sessions interface <interface>
show authentication interface <interface>
Switch(config)# show dot1x
_________________________________________________
Sysauthcontrol              Enabled
Dot1x Protocol Version            3
_________________________________________________
Switch(config)# show dot1x summary
_________________________________________________
Interface       PAE     Client          Status
_________________________________________________
Fa0/4           AUTH
_________________________________________________
Switch(config)# show dot1x interface fa0/4 detail
_________________________________________________
Dot1x Info for FastEthernet0/4
_________________________________________________
PAE                       = AUTHENTICATOR
PortControl               = FORCE_AUTHORIZED
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 5
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 10

Troubleshoot

This section provides debug commands that you can use in order to troubleshoot your configuration.

Note: Refer to Important Information on Debug Commands before you use debug commands.

debug dot1x all
debug authentication all
debug radius (provides the information of radius at debug level)
debug aaa authentication (debug for authentication)
debug aaa authorization (debug for authorization)

More Information

802.1x Wired Authentication on a Catalyst 3550 Series Switch and an ACS Version 4.2 Configuration Example