FreeRADIUS Server (10.10.10.10)
1. Edit "users" file
root@FreeRADIUS:/etc/freeradius# pico users
"Jone Wild" Cleartext-Password := "!PB@1@nce"
Reply-Mesage = " Hello~ "
2. Edit "clients.conf" file
root@FreeRADIUS:/etc/freeradius# pico clients.conf
client 10.10.10.0/24 {
secret = lab12345
shortname = dot.x_lab
3. Restart service
root@FreeRADIUS:/etc/freeradius# /etc/init.d/freeradius restart
Cisco Switch
1. Global configuration(Required)
Cisco-SW# conf t
Cisco-SW(config)# aaa new-model
Cisco-SW(config)# aaa authentication dot1x default group radius
Cisco-SW(config)# aaa authorization network default group radius (optional)
Cisco-SW(config)# dot1x system-auth-control
Cisco-SW(config)# username cisconet privilege 15 secret P@$$w0rd
Cisco-SW(config)# radius-server host 10.10.10.10 auth-port 1812 acc-port 1813 key lab12345
2. Interface configuration(Required)
Cisco-SW# conf t
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# switchport mode access
Cisco-SW(config-if)# switchport access vlan [data vlan]
Cisco-SW(config-if)# dot1x port-control auto
Cisco-SW(config-if)# end
3. Periodic Re-Authentication(Optional)
Cisco-SW# conf t
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# dot1x reauthentication ; default – disabled
Cisco-SW(config-if)# dot1x timeout reauth-period 3600 ; default 60
Cisco-SW(config-if)# dot1x max-req 3
Cisco-SW(config-if)# dot1x max-reauth-req 3
Cisco-SW(config-if)# end
4. Quiet Period(Optional)
Cisco-SW# conf t
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# dot1x timeout quiet-period 10 ; default – 60
Cisco-SW(config-if)# dot1x timeout tx-period 10
Cisco-SW(config-if)# dot1x timeout supp-timeout 10
Cisco-SW(config-if)# end
5. Guest VLAN(Optional)
Cisco-SW# conf t
Cisco-SW(config)# dot1x guest-vlan supplicant
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# dot1x guest-vlan [vlan-id]
or
Cisco-SW(config-if)# authentication event no-response action authorize vlan [vlan-id]
Cisco-SW(config-if)# end
* Restricted VLAN can be configured
Cisco-SW(config-if)# authentication event fail [ retry retris ]
action authorize vlan [vlan-id]
6. Host setting(Optional)
Cisco-SW# conf t
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# dot1x port-control auto
Cisco-SW(config-if)# dot1x host-mode single-host or multi-host
or
Cisco-SW(config-if)# authentication host-mode single-host or multi-host (new command)
Cisco-SW(config-if)# end
* 4 Host mode
Single-Host Mode; Allows a single node(ex desktop)
Multiple-Host Mode; Allows multi-nodes once first node has authenticated (ex wireless AP)
Multidomain Authentication Mode; IP phone + desktop in daisy chain link
Multiauthentication Mode; A IP phone + multi desktops
Pre-Authentication Open Access; only for testing purpose, waiving authentication
7. Default 802.1x setting
Cisco-SW# conf t
Cisco-SW(config)# interface fastEthernet 0/20
Cisco-SW(config-if)# dot1x default
Cisco-SW(config-if)# end
802.1x Default value
AAA : Disabled
Switch 802.1x enable state : Disabled
Per-port 802.1x enable state : Disabled(Force-authorized)
Periodic re-authentication : Disabled
Number of seconds between re-authentication attempts : 3600 seconds
Quiet period : 60 seconds
Retransmission time : 30 seconds
Maximum retransmission number : 2 times
Host mode : single-host mode
Guest VLAN : None specified
Client timeout period : 30 seconds
Authentication server timeout period : 30 seconds
8. MAC Authentication Bypass (MAB)
; MAB is a option for node that is not feasible for IEEE 802.1x authentication such as network printer, fax and etc.
Cisco-SW# conf t
Cisco-SW(config)# dot1x mac-auth-bypass [eap]
or
Cisco-SW(config)# mab [eap]
* "eap"means that send information in eap method.
9. Auto VLAN Assignment
; Specific VLAN can be assigned after IEEE 802.1x authentication complete. RADIUS server must have pre-configured policy for the VLAN assignment.
RADIUS IETF attributes
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
It requires "aaa authorization network default method1 method2….
Cisco-SW(config)# aaa authorization network default group radius
10. Flex Authentication Order
; It allows an order of authencation methods. And below platform and available s/w.
Cisco Catalyst 6500 Series switches : Cisco IOS 12.2(33)SXI
Cisco Catalyst 4500 Series switches : Cisco IOS 12.2(50)SG
Cisco Catalyst 3750, 3560 and 2960 switches : Cisco IOS 12.2(50)SE
As of default Cisco switch will 802.1x authenticaion first and MAB later.
We could use FlexAuth to change order of authentication.
Once you change order of authentication method, priority of the method will be changed as well.
FlexAuth commands
Cisco-SW# conf t
Cisco-SW(config)# int fa1/48
Cisco-SW(config-if)# authentication order mab dot1x
Cisco-SW(config-if)# authentication priority mab dot1x
or
Cisco-SW# conf t
Cisco-SW(config)# int fa1/48
Cisco-SW(config-if)# authentication order [dot1x | mab] | {webauth}
Cisco-SW(config-if)# authentication priority [dot1x | mab] | {webauth}
Cisco-SW(config-if)# authentication event fail action [next-method | authorize VLAN [v-lan ID]
Cisco-SW(config-if)# authentication fallback web-auth
11. Sample configuration
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.77.5 auth-port 1812 acct-port 1813 key lab12345
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet x/x
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport access vlan [data vlan]
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 10
dot1x timeout server-timeout 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 3
dot1x guest-vlan 33
dot1x auth-fail vlan 33
spanning-tree portfast
12. Show commands
Cisco-SW# show dot1x
or
Cisco-SW# show dot1x interface [interface ID]
Cisco-SW# show dot1x re-authenticate interface [interface ID]
Tips & Tricks
– IEEE 802.1x is ONLY working on L2 static access port, Voice VLAN port and L3 routed port.
– IEEE 802.1x is NOT working on L2 dynamip access port, Trunk port, Etherchannel Port and SPAN port.
– During IEEE 802.1x authentication process(unauthorized condition), all traffic will be dropped except EAPOL and CDP/LLDP
** RADIUS testing utility : NTRadPing 1.5 / http://www.dialways.com/