cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
3
Replies

802.1x command help

tedauction
Level 1
Level 1

Hello, I am trying to put together a config for port-based 802.1x authentication to Windows NPS RADIUS server. I have the following questions.

- I want the port to be auto authorized if connection failure to the RADIUS server occurs. What additional command do I need for that ?

- Do I need any special commands to except the voice VLAN from having to authenticate i.e. I want my Cisco phones on the Voice VLAN to auto connect without any 802.1x authorisation requirement.

- Is it safe to implement the configuration below on a production switch if I want to test it on just one port ? i.e. will it have any adverse effect on the switch and other ports that I am not testing (those other ports are currently using switchport port-security sticky).

- Is this all the configuration I need to get it working ?

Thank you kindly for any help.

GLOBAL CONFIG:
- aaa new-model
- radius-server host 10.0.0.100 auth-port 1812 acct-port 1813 key MyRadiusKey
- aaa authorization network default group radius
- aaa authentication dot1x default group radius
- dot1x system-auth-control
- aaa authorization exec default local if-authenticated (to remove need for 'enable config' prompt when using VTY lines)

TEST INTERFACE CONFIG:
interface g0/12
switchport mode access
switchport voice vlan 110
authentication port-control auto
radius-server dead-criteria time 10 tries 3

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I've replied to another post with a standard port configuration :  https://supportforums.cisco.com/comment/11844331#comment-11844331

For Voice devices, now you need to authenticate them even if it's only MAB. On older version, there was a feature called CDPBypass but depreciated.

To allow a port when a radius server is down, you need to use following commands:

authentication event server dead action authorize vlan xxx ==> Your data vlan

authentication event server dead action authorize voice ==> For Voice. It will use the default voice vlan configured on the port

authentication event server alive action reinitialize

For testing purpose, I will add authentication open on port as some default traffic are allowed. Before going in production, you can move to a close mode and specify an acl that open only needed ports.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you Francesco,

so with a switchport with a data vlan (comptuer) and voice vlan (phone) I have the following config:

switchport access vlan 0
switchport voice vlan 110
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10

I do not have any MAB database in place, so if 802.1x fails for the computer then there is no way the port will authorise. If this is the case then do I still need the MAB commands as per above ?

Or, is there any way, whereby the computer fails 802.1x authentication, then the switchport voice vlan will still work on the port ?

Hi

I don't know which radius server you'll user but you can setup a default rule as allow with a specific vlan for data and voice. 

I would recommend to use MAB because some devices have no dot1x supplicant and the only way would need mab. 

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question