Introduction
This Document provides you the basic DOT1X configuration with ACS 4.2 using Radius protocol for Wired authentication.
Prerequisites
- Switch 3550
- ACS 4.2
Requirements
Make sure that ACS and Switch are connected with each other.
Components Used
- Switch 3550
- ACS 4.2
Configuration on Switch:
##Globally enable radius auth and define Radius server.
Switch(config)# radius-server host 192.168.1.3 key cisco123
##Enable dot1x functionality
Switch(config)# dot1x system-auth-control
##Configure aaa
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
##Configure client interfaces for dot1x
Switch(config-if)# switchport mode acces
Switch(config-if)# switchport access vlan <vlan>
Note: Depending on IOS version you will use one of the two below commands.
Switch(config-if)# authentication port-control auto or Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x timeout quiet-period <secodns to wait after failed attempt>
Switch(config-if)# dot1x timeout tx-period <time to resubmit request>
Configuration on ACS:
Add Switch as a Client on the ACS:
Network Configuration > Add entry AAA client
IP Address: <IP>
Shared secret: <key>
Authenticate Using: Radius (Cisco IOS/PIX 6.0)
System Configuration > Global Authentication Setup
Verify ‘Allow EAP-MD5′ is checked
Verify ‘Allow MS-CHAP Version 2 Authentication’ is checked
In order to configure a user, click User Setup on the menu, and complete these steps:
Enter the User information: Network-Admin <username>.
Click Add/Edit.
Enter the Real Name: Network-Admin <descriptive name>.
Add a Description: <your choice>.
Select the Password Authentication: ACS Internal Database.
Enter the Password: ........ <password>.
Confirm the Password: <password>.
Click Submit.
Verify
The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.
Enter these commands in order to confirm that your configuration works properly:
show dot1x
show dot1x summary
show dot1x interface
show authentication sessions interface <interface>
show authentication interface <interface>
Switch(config)# show dot1x
_________________________________________________
Sysauthcontrol Enabled
Dot1x Protocol Version 3
_________________________________________________
Switch(config)# show dot1x summary
_________________________________________________
Interface PAE Client Status
_________________________________________________
Fa0/4 AUTH
_________________________________________________
Switch(config)# show dot1x interface fa0/4 detail
_________________________________________________
Dot1x Info for FastEthernet0/4
_________________________________________________
PAE = AUTHENTICATOR
PortControl = FORCE_AUTHORIZED
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10Troubleshoot
This section provides debug commands that you can use in order to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug dot1x all
debug authentication all
debug radius (provides the information of radius at debug level)
debug aaa authentication (debug for authentication)
debug aaa authorization (debug for authorization)