AAA, NAC, Guest Access & BYOD

How to Enable Dot1x authentication for wired clients in Cisco switch

by on ‎07-18-2014 06:11 AM

Introduction :

 

This Article explains about-

    i) Enabling Dot1x  authentication on the windows client.

    ii) Configuring the services on CPPM for wired Dot1x clients on a Cisco switch
    iii) Configuring Cisco Switch to enable Dot1x and forward the request to CPPM
    iv) Adding the Cisco device as a NAD device.

 

Environment : This Article is written  for CPPM 6.2.0 and greater

 

Answer :

 

Note : This Setup requires CPPM to be added to the domain.

1: Configure the Cisco Switch to enable Dot1x.

 

Cisco-3750-Lab#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco-3750-Lab(config)# aaa new-model
 
Now that we have enabled the advanced features, we can now add in CPPM as our RADIUS server with the following commands:
 
Cisco-3750-Lab(config)# radius server CPPM
Cisco-3750-Lab(config-radius-server)# address ipv4 X.X.X.X
Cisco-3750-Lab(config-radius-server)# key aruba123
Cisco-3750-Lab(config-radius-server)# exit
Cisco-3750-Lab(config)#
 
The command “radius server servername” is a newer command. Older code uses the command “radius-server host 192.168.99.10 key aruba123”.
 
In order to enable 802.1x on the switch, we must run the following command:
 
Cisco-3750-Lab(config)# dot1x system-auth-control
 
Now we need to set the switch to use RADIUS for AAA Authentication and Accounting. Here are the commands for that:
Cisco-3750-Lab(config)# aaa authentication dot1x default group radius
Cisco-3750-Lab(config)# aaa authorization network default group radius
Cisco-3750-Lab(config)# aaa accounting dot1x default start-stop group radius
 
 
Next we need to add a AAA server for dynamic authorization. Here’s how we do that:
Cisco-3750-Lab(config)# aaa server radius dynamic-author
Cisco-3750-Lab(config-locsvr-da-radius)# client 10.30.156.119 server-key aruba123
Cisco-3750-Lab(config-locsvr-da-radius)# port 3799
Cisco-3750-Lab(config-locsvr-da-radius)# auth-type all
Cisco-3750-Lab(config-locsvr-da-radius)# exit
Cisco-3750-Lab(config)#

Create Vlans on the switch.


Cisco-3750-Lab(config)#interface vlan 25
Cisco-3750-Lab(config-if)# ip address 192.168.25.1 255.255.255.0
Cisco-3750-Lab(config-if)# ip helper-address 192.168.25.10
Cisco-3750-Lab(config-if)# ip helper-address 192.168.25.5
Cisco-3750-Lab(config-if)# exit

Now that we have RADIUS server settings, VLANs and router interfaces for those VLANs, we need to configure a port to do 802.1x . Here are the commands to configure a port, keep in mind that interface type and numbering will differ from model to model. The best way to figure out your interface type and numbering is with the “show interfaces description” command. 

Configuring ports one by one would not be possible so we can use "Range" option.

Below example would configure the all the ports within range G
igabitEthernet 1/0/1  to 1/0/24


Cisco-3750-Lab#configure terminal
Cisco-3750-Lab(config)#interface range gigabitEthernet 1/0/1 - 24

Cisco-3750-Lab(config-if-range)# switchport access vlan 25
Cisco-3750-Lab(config-if-range)# switchport mode access
Cisco-3750-Lab(config-if-range)# authentication order mab dot1x
Cisco-3750-Lab(config-if-range)# authentication priority dot1x mab
Cisco-3750-Lab(config-if-range)# authentication port-control auto
Cisco-3750-Lab(config-if-range)# authentication periodic
Cisco-3750-Lab(config-if-range)# authentication timer reauthenticate server
Cisco-3750-Lab(config-if-range)# mab
Cisco-3750-Lab(config-if-range)# dot1x pae authenticator
Cisco-3750-Lab(config-if-range)# dot1x timeout server-timeout 5
Cisco-3750-Lab(config-if-range)# dot1x timeout tx-period 10
Cisco-3750-Lab(config-if-range)# dot1x timeout supp-timeout 10
Cisco-3750-Lab(config-if-range)# dot1x max-req 10
Cisco-3750-Lab(config-if-range)# dot1x max-reauth-req 10
Cisco-3750-Lab(config-if-range)# spanning-tree portfast
Cisco-3750-Lab(config-if-range)# exit


2: Add Switch to CPPM

Navigate to Configuration > Network > Devices

Click Add Device

Add the device as shown below.

rtaImage.png

 

Make sure that the Radius Shared Secret is same as the one configured on the Switch.

3: 802.1x Service Setup

Navigate to Configuration » Service Template and Select 802.1X Wired Access Service Template

This will open a new window as below

rtaImage.png


 
Give it a Generic name and select the AD from the drop down to auto-populate the remaining fields.

Scroll down 

rtaImage.png

Select the Switch from the Drop down to auto populate the remaining fields.

We can fill the Enforcement details as above or customize is based on our requirements.

Hitting "Add Service" will save and add the service.

4: Enable Dot1X on the client.

You must be logged on as an administrator to perform these steps.

To complete this procedure, you must first enable the Wired AutoConfig service, which is turned off by default.

  1. Click the Start button Picture of the Start button, and then, in the Search box, type services.msc, and then press ENTER. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. In the Services dialog box, click the Standard tab, right-click Wired AutoConfig, and then click Start.

  3. Open Network Connections by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

  4. Right-click the connection that you want to enable 802.1X authentication for, and then click PropertiesAdministrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  5. Click the Authentication tab, and then select the Enable IEEE 802.1X authentication check box.

  6. In the Choose a network authentication method list, click the method you want to use.

    To configure additional settings, click Settings.


Connect a client and verify.
 
Troubleshooting : Most Common issue seen in this setup.

Question : After connecting my client, it is not getting an IP address and nothing is seen in the access tracker.

Answer: We can check the Event Viewer for more details.

Navigate to Monitoring » Event Viewer and look for below


RADIUS ERROR Authentication Unknown Aug 26, 2013 05:29:04 PST
This is caused due to Radius key mismatch.

rtaImage.png

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.