802.1x authentication on a switchport

ayussuf · ‎09-14-2011

I am looking to impliment a different type of 802.1x and need help.

I will like to give everyone access to vlan 50 if they are not authorized. However, if they are authorized, they will get vlan 75.

Can this be done?

Peter Paluch · ‎09-14-2011

Hello,

Yes, that is possible. Cisco 802.1X implementation on Catalyst switches recognizes the following types of VLANs:

Normal access VLAN of a port that will be available to a properly authenticated client
Guest VLAN which accepts clients that do not even support 802.1X (i.e. they have never sent an EAPOL frame since the port became connected)
Restricted VLAN, also caled Auth-Fail VLAN, into which the port is placed if the client supports 802.1X authentication but failed to provide acceptable credentials

What exact Catalyst type and IOS version are you using? The commands have changed recently so to be able to provide you with a configuration example that would work for you, it would be very helpful to know what switch and IOS you are currently using.

Best regards,

Peter

ayussuf · ‎09-14-2011

I am currently using 2950s with 12.1 IOS for production. I also have a 3560g with 12.2 IOS.

Is the config done on the VLAN or the switchport?

Thank you

Peter Paluch · ‎09-14-2011

Hello,

Regarding the 3560G, I would need to know the precise IOS version. The AAA and 802.1X commands have changed somewhere around 12.2(50)SE.

The configuration is done on a per-switchport basis. For example, the 2950 would be configured as follows:

dot1x system-auth-control

!

interface FastEthernet0/1

switchport mode access

dot1x port-control auto

switchport access vlan 75

dot1x auth-fail vlan 50

dot1x guest-vlan 50

Best regards,

Peter

ayussuf · ‎09-14-2011

its 12.2(58)SE1

ayussuf · ‎09-14-2011

The 2950 however is 12.1(22)EA14

Peter Paluch · ‎09-14-2011

Hello,

Alright, the configuration for 3560G would be as follows:

dot1x system-auth-control

!

interface GigabitEthernet0/1

switchport mode access

switchport access vlan 75

authentication port-control auto

authentication event no-response action authorize vlan 50

authentication event fail action authorize vlan 50

Please let me know if these settings worked for you.

Best regards,

Peter

ayussuf · ‎09-14-2011

how do you configure it to look for the RADIUS server for authentication?

Peter Paluch · ‎09-14-2011

Hello,

I assumed you are already familiar with the basic 802.1X config. Sorry.

This should do the trick:

aaa new-model

aaa authentication dot1x default group radius

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key SECRET

!

dot1x system-auth-control

!

interface FastEthernet0/1

[ ... use the interface config I suggested earlier ... ]

Replace the X.X.X.X with the IP address of your RADIUS server, and the SECRET with the shared secret between your switch and the RADIUS server. You should verify that your switch can ping the RADIUS server before configuring the 802.1X authentication (you will obviously need to have a proper interface VLAN created and the default gateway set). Also, activating the "aaa new-model" will change the settings for authentication on your console and VTY lines so back up your configuration before making these changes. It may be necessary to perform minor tweaking.

Best regards,

Peter