I added more complicated dot1x switch config in a separate article that will be published soon for more enthusiastic part of audience. More additional options are available on how to proceed with unauthenticated users and what to do with different kinds of clients connected. If someone connects to Gi1/1 with his Windows machine or any other device, it will only get connectivity if it supports dot1x and has the credentials needed to authenticate with radius server. For the end we enabled GigabitEthernet 1/1 interface to run dot1x for clients connected to it. After that we enabled dot1x authentication altogether inside aaa new-model global aaa authentication settings. We configured radius server on the switch with his IP address and radius client pre-shared key (same one configured on server side above). It will be like this: SW1# configure terminal If you have a switch running some new IOS versions (like 150-2.SE6) your RADIUS server definition configuration will be slightly different than this above. SW1(config)# aaa authentication dot1x default group radius SW1(config)# ip radius source-interface loopback 1 SW1(config-if)# end SW1# configure terminal This is the address of radius client that you configure above on Radius server in radius client setting. Note that ip radius source-interface loopback 1 will be some other interface with IP address configured on your switch. If we wanted the simplest configuration possible following the above list it will look something like this: Radius client addition, remember, our radius client is our access switch who will send the authentication requests to our Radius server:Īccess switch configuration is fairly straight-forward and includes: This is done by giving to the server switch’s IP address and shared key. So every switch that is configured for dot1x and sends request to our Radius server needs to be added to that server as radius client. Every device which will use this radius server as authentication server needs to be configured on that server as radius client. One more thing, which is additional security feature against bogus radius clients. Basically has only NAS Port Type option defined as Ethernet so that it will make a match only in case of dot1x authentication requests to our Radius server: This is the “NPS Policy for dot1x” policy example. The NPS Network policy role needs to be configured on Active Directory server and network access policy needs to be created in order to enable that server to be an authentication server. I will suppose you have a Windows Server in your business environment as this is mostly the case.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |