Re: Wired 802.1X

This question is not fully clear. Do you want to use another vendor switch that then should authenticate the attached computers, or do you want to attach another vendor switch to a cisco switch and authenticate that switch?
The first should work, if the vendor switch supports 802.1x. If it doesn't support it, then some cisco switches support that too, I think it's called "multi-host" mode.

ปลาวาฬทราย RMUTT CPE IX · ‎07-27-2021

I want to use another vendor switch that then should authenticate the attached computers, but I configured like this the interface was 'error-disabled'.

interface GigabitEthernet0/36
 description link to another vendor switch
 switchport access vlan 100
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
end

Thank you very much.

patoberli · ‎07-27-2021

Ok, so if your other switch can do 802.1x authentication, then disable it for the uplink port on the Cisco switch. Unless you want to authenticate the Cisco switch itself.

ปลาวาฬทราย RMUTT CPE IX · ‎07-29-2021

Hi,

Another vendor switch doesn't support, how should I do?

Thank you very much.

patoberli · ‎07-30-2021

With another vendor switch you are mostly out of luck. There are some ways, but you can authenticate the port with the first client that connects to the other vendor switch. Downside, all other clients on that foreign switch will come into the same VLAN and are also all authenticated. This can cause various problems though and I don't recommend it.
Regarding the Catalyst 1000, it should support it, here is the guide for it:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst1000/software/releases/15_2_7_e/configuration_guides/sec/b_1527e_security_c1000_cg/configuring_radius.html

ปลาวาฬทราย RMUTT CPE IX · ‎08-02-2021

ah, I forgot 'aaa new-model' command.

Then how to verify connection to the radius? and which windows authentication method should I use?

Thank you very much.

patoberli · ‎08-02-2021

This basically all depends on your Radius server and what authentication type you want to use. Please read up first about the different types (username+password, user or device certificate, combination, just Windows domain membership, .....).
Depending on your business needs, you need to configure the right one for you and configure this at the Radius server and then the client.

patoberli · ‎08-02-2021

If the other vendor switch should do the authentication, disable authentication on this listed port.

ปลาวาฬทราย RMUTT CPE IX · ‎07-29-2021

Hi,

What about the C1000-24T-4G-L, I see the datasheet says it support here https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-1000-series-switches/nb-06-cat1k-ser-switch-ds-cte-en.html. However, It has no 'radius' command, how should I do?

Thank you very much.

pieterh · ‎07-30-2021

you should be able to use a dumb (non-manageble) switch,

but then you need to add MAB as authentication method on the port to authenticate the mac-address of this switches uplink

after that you can use the multi-host mode as suggested by patoberli to auth all clients with DOT1x supplicant connected to this dumb switch, auth is done by the 2960, not the dumb switch