01-30-2017 03:01 PM
Hello, I am trying to put together a config for port-based 802.1x authentication to Windows NPS RADIUS server. I have the following questions.
- I want the port to be auto authorized if connection failure to the RADIUS server occurs. What additional command do I need for that ?
- Do I need any special commands to except the voice VLAN from having to authenticate i.e. I want my Cisco phones on the Voice VLAN to auto connect without any 802.1x authorisation requirement.
- Is it safe to implement the configuration below on a production switch if I want to test it on just one port ? i.e. will it have any adverse effect on the switch and other ports that I am not testing (those other ports are currently using switchport port-security sticky).
- Is this all the configuration I need to get it working ?
Thank you kindly for any help.
GLOBAL CONFIG:
- aaa new-model
- radius-server host 10.0.0.100 auth-port 1812 acct-port 1813 key MyRadiusKey
- aaa authorization network default group radius
- aaa authentication dot1x default group radius
- dot1x system-auth-control
- aaa authorization exec default local if-authenticated (to remove need for 'enable config' prompt when using VTY lines)
TEST INTERFACE CONFIG:
interface g0/12
switchport mode access
switchport voice vlan 110
authentication port-control auto
radius-server dead-criteria time 10 tries 3
01-30-2017 04:17 PM
Hi
I've replied to another post with a standard port configuration : https://supportforums.cisco.com/comment/11844331#comment-11844331
For Voice devices, now you need to authenticate them even if it's only MAB. On older version, there was a feature called CDPBypass but depreciated.
To allow a port when a radius server is down, you need to use following commands:
authentication event server dead action authorize vlan xxx ==> Your data vlan
authentication event server dead action authorize voice ==> For Voice. It will use the default voice vlan configured on the port
authentication event server alive action reinitialize
For testing purpose, I will add authentication open on port as some default traffic are allowed. Before going in production, you can move to a close mode and specify an acl that open only needed ports.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
01-30-2017 10:22 PM
Thank you Francesco,
so with a switchport with a data vlan (comptuer) and voice vlan (phone) I have the following config:
switchport access vlan 0
switchport voice vlan 110
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
I do not have any MAB database in place, so if 802.1x fails for the computer then there is no way the port will authorise. If this is the case then do I still need the MAB commands as per above ?
Or, is there any way, whereby the computer fails 802.1x authentication, then the switchport voice vlan will still work on the port ?
01-31-2017 04:42 AM
Hi
I don't know which radius server you'll user but you can setup a default rule as allow with a specific vlan for data and voice.
I would recommend to use MAB because some devices have no dot1x supplicant and the only way would need mab.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide