Friday, December 16, 2016

configure 802.1x/dotx1 on cisco switch

*** structure ***

client -- > switch --> radius

switch ip address: 192.168.57.13
radius ip address: 192.168.57.1

*** radius setup
1- configure radius server
follow the link below, only on "*** on hostapd/radius" part, but we don't need hostapd anymore,  you can skip the part that involve hostapd

http://www.atechnote.com/2016/10/configure-8021x-wpa2-enterprise-using.html

- then modify the following file
- /etc/freeradius/clients.conf
client localhost {
        ipaddr = 127.0.0.1
        secret          = radius
        require_message_authenticator = no
}
client cisco-router {
        ipaddr = 192.168.57.13
        secret          = radius
        require_message_authenticator = no
}



-/etc/freeradius/users
DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP
"testuser"      User-Password == "Secret149"
user1     Cleartext-Password := "password1"
user2     Cleartext-Password := "password2"


*** cisco switch part
1- cisco swtich version
ROM: ROMMON Emulation Microcode
ROM: 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(18), RELEASE SOFTWARE (fc1)




2- cisco running-configuration

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname R2-SW
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
!
aaa session-id common
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3   
!
identity profile default
dot1x system-auth-control
vtp file nvram:vlan.dat

!
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
 description *** Unused for Layer2 SW ***
 ip address 192.168.57.13 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description *** Unused for Layer2 SW ***
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 duplex full
 speed 100
 dot1x port-control auto
!
interface FastEthernet1/1
 duplex full
 speed 100
 dot1x port-control auto
!
interface FastEthernet1/2
 duplex full
 speed 100
!
interface FastEthernet1/3
 duplex full
 speed 100
!
interface FastEthernet1/4
 duplex full
 speed 100
!
interface FastEthernet1/5
 duplex full
 speed 100
!
interface FastEthernet1/6
 duplex full
 speed 100
!
interface FastEthernet1/7
 duplex full
 speed 100
!
interface FastEthernet1/8
 duplex full
 speed 100
!
interface FastEthernet1/9
 duplex full
 speed 100
!
interface FastEthernet1/10
 duplex full
 speed 100
!
interface FastEthernet1/11
 duplex full
 speed 100
!
interface FastEthernet1/12
 duplex full
 speed 100
!
interface FastEthernet1/13
 duplex full
 speed 100
!
interface FastEthernet1/14
 duplex full
 speed 100
!
interface FastEthernet1/15
 duplex full
 speed 100
!
interface Vlan1
 ip address 192.168.33.24 255.255.255.0
 no ip route-cache
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server

!
radius-server host 192.168.57.1 auth-port 1812 acct-port 1813 key radius



3- after you complete the configuration and the connection between radius and switch and you use the following command to test radius authentication from switch to radius server:

R2-SW#test aaa group radius user1 password1 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.


*** client part,

+ linux client
follow the link below on the  "***on client" part only
http://www.atechnote.com/2016/10/configure-8021x-wpa2-enterprise-using.html

+ ms windows  client
1- enable "wired autoconfig" service, after enable the service, the "authentication" tab will be appeared in the"local area connection"  property

2- next,
- if your certificate is not officially signed,  remove "validate server certificate" checkbox in the setting button

- you can add username/password manually or wait until the windows automatically ask for it in "additional settings"


and when you successfully authenticate, the switch will change to up,
 





No comments:

Post a Comment