Introduction :
This Article explains about-
i) Enabling Dot1x authentication on the windows client.
ii) Configuring the services on CPPM for wired Dot1x clients on a Cisco switch
iii) Configuring Cisco Switch to enable Dot1x and forward the request to CPPM
iv) Adding the Cisco device as a NAD device.
Environment : This Article is written for CPPM 6.2.0 and greater
Answer :
Note : This Setup requires CPPM to be added to the domain.
1: Configure the Cisco Switch to enable Dot1x.
Cisco-3750-Lab#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco-3750-Lab(config)# aaa new-model
Now that we have enabled the advanced features, we can now add in CPPM as our RADIUS server with the following commands:
Cisco-3750-Lab(config)# radius server CPPM
Cisco-3750-Lab(config-radius-server)# address ipv4 X.X.X.X
Cisco-3750-Lab(config-radius-server)# key aruba123
Cisco-3750-Lab(config-radius-server)# exit
Cisco-3750-Lab(config)#
The command “radius server servername” is a newer command. Older code uses the command “radius-server host 192.168.99.10 key aruba123”.
In order to enable 802.1x on the switch, we must run the following command:
Cisco-3750-Lab(config)# dot1x system-auth-control
Now we need to set the switch to use RADIUS for AAA Authentication and Accounting. Here are the commands for that:
Cisco-3750-Lab(config)# aaa authentication dot1x default group radius
Cisco-3750-Lab(config)# aaa authorization network default group radius
Cisco-3750-Lab(config)# aaa accounting dot1x default start-stop group radius
Next we need to add a AAA server for dynamic authorization. Here’s how we do that:
Cisco-3750-Lab(config)# aaa server radius dynamic-author
Cisco-3750-Lab(config-locsvr-da-radius)# client 10.30.156.119 server-key aruba123
Cisco-3750-Lab(config-locsvr-da-radius)# port 3799
Cisco-3750-Lab(config-locsvr-da-radius)# auth-type all
Cisco-3750-Lab(config-locsvr-da-radius)# exit
Cisco-3750-Lab(config)#
Create Vlans on the switch.
Cisco-3750-Lab(config)#interface vlan 25
Cisco-3750-Lab(config-if)# ip address 192.168.25.1 255.255.255.0
Cisco-3750-Lab(config-if)# ip helper-address 192.168.25.10
Cisco-3750-Lab(config-if)# ip helper-address 192.168.25.5
Cisco-3750-Lab(config-if)# exit
Now that we have RADIUS server settings, VLANs and router interfaces for those VLANs, we need to configure a port to do 802.1x . Here are the commands to configure a port, keep in mind that interface type and numbering will differ from model to model. The best way to figure out your interface type and numbering is with the “show interfaces description” command.
Configuring ports one by one would not be possible so we can use "Range" option.
Below example would configure the all the ports within range GigabitEthernet 1/0/1 to 1/0/24
Cisco-3750-Lab#configure terminal
Cisco-3750-Lab(config)#interface range gigabitEthernet 1/0/1 - 24
Cisco-3750-Lab(config-if-range)# switchport access vlan 25
Cisco-3750-Lab(config-if-range)# switchport mode access
Cisco-3750-Lab(config-if-range)# authentication order mab dot1x
Cisco-3750-Lab(config-if-range)# authentication priority dot1x mab
Cisco-3750-Lab(config-if-range)# authentication port-control auto
Cisco-3750-Lab(config-if-range)# authentication periodic
Cisco-3750-Lab(config-if-range)# authentication timer reauthenticate server
Cisco-3750-Lab(config-if-range)# mab
Cisco-3750-Lab(config-if-range)# dot1x pae authenticator
Cisco-3750-Lab(config-if-range)# dot1x timeout server-timeout 5
Cisco-3750-Lab(config-if-range)# dot1x timeout tx-period 10
Cisco-3750-Lab(config-if-range)# dot1x timeout supp-timeout 10
Cisco-3750-Lab(config-if-range)# dot1x max-req 10
Cisco-3750-Lab(config-if-range)# dot1x max-reauth-req 10
Cisco-3750-Lab(config-if-range)# spanning-tree portfast
Cisco-3750-Lab(config-if-range)# exit
2: Add Switch to CPPM
Navigate to Configuration > Network > Devices
Click Add Device
Add the device as shown below.
Make sure that the Radius Shared Secret is same as the one configured on the Switch.
3: 802.1x Service Setup
Navigate to Configuration » Service Template and Select 802.1X Wired Access Service Template
This will open a new window as below
Give it a Generic name and select the AD from the drop down to auto-populate the remaining fields.
Scroll down
Select the Switch from the Drop down to auto populate the remaining fields.
We can fill the Enforcement details as above or customize is based on our requirements.
Hitting "Add Service" will save and add the service.
4: Enable Dot1X on the client.
You must be logged on as an administrator to perform these steps.
To complete this procedure, you must first enable the Wired AutoConfig service, which is turned off by default.
-
Click the Start button , and then, in the Search box, type services.msc, and then press ENTER. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
In the Services dialog box, click the Standard tab, right-click Wired AutoConfig, and then click Start.
-
Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.
-
Right-click the connection that you want to enable 802.1X authentication for, and then click Properties. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
Click the Authentication tab, and then select the Enable IEEE 802.1X authentication check box.
-
In the Choose a network authentication method list, click the method you want to use.
To configure additional settings, click Settings.
Connect a client and verify.
Troubleshooting : Most Common issue seen in this setup.
Question : After connecting my client, it is not getting an IP address and nothing is seen in the access tracker.
Answer: We can check the Event Viewer for more details.
Navigate to Monitoring » Event Viewer and look for below
| RADIUS |
ERROR |
Authentication |
Unknown |
Aug 26, 2013 05:29:04 PST |
This is caused due to Radius key mismatch.
