Security

Hi,

I would like to do a 802.1X authentication with username/password on Internal DB.

Following username, I would like to allow the right vlan, I have 4 vlans.

I have already added the names and passwords of the users to be authenticated in Internal DB and I put different role following username. with different vlan.

I already configure AAA profile with Server group (Internal) and I enable termination to finish authentication on controller.

But I don't know how I can configure default-role and 802.1X Authentication Default Role.

Thanks for your help

cCIl

The default 802.1x role is in the AAA profile.

On Internal DB, I configure :

aaa server-group "interne"
   allow-fail-through
 auth-server Internal
 set role condition User-Name contains "ccil" set-value ccil-vlan4   : in fact, I will configure all users on Internal DB with different vlans

aaa profile "Entreprise_AAA"
   initial-role "Entreprise_role"
   authentication-dot1x "Entreprise_dot1x"
   dot1x-default-role "ccil-vlan4"
   dot1x-server-group "interne"

aaa authentication dot1x "Entreprise_dot1x"
   machine-authentication enable
   machine-authentication machine-default-role "Entreprise_role"
   machine-authentication user-default-role "ccil-vlan4"
   termination enable

   termination eap-type eap-tls
   termination eap-type eap-peap
   termination inner-eap-type eap-gtc
   termination inner-eap-type eap-mschapv2

Someone can explain me each role :

initial-role "Entreprise_role"
dot1x-default-role "ccil-vlan4"

machine-authentication machine-default-role "Entreprise_role"
machine-authentication user-default-role "ccil-vlan4"

With different vlan, I cannot understand where I have to configure the server derivation and how.

cCil

Two words of advice:

1- Turn off (Enforce) Machine Authentication (machine authentication and Termination don't work.  You also are not going to put a machine's credentials into the internal database, so don't bother.  Enforce Machine Authentication is an advanced topic.)

2- The commands that sets the 802.1x role  is below:

aaa profile "Entreprise_AAA"
   initial-role "Entreprise_role"
   authentication-dot1x "Entreprise_dot1x"
   dot1x-default-role "ccil-vlan4"
   dot1x-server-group "interne"

 3 - 

Someone can explain me each role :

initial-role "Entreprise_role"   - Initial role for AAA profile.  Only valid for PSK or Open SSIDs.  NOTused for 802.1x
dot1x-default-role "ccil-vlan4"  - Basic Role for when a client passes 802.1x

(Enforce) Machine Authentication - Only in effect when Enforce Machine Authentication is activated.  Does not work with Termination, and is not used when Termination is off.

machine-authentication machine-default-role "Entreprise_role"
machine-authentication user-default-role "ccil-vlan4"

Thanks for your help.

I have a question about vlans. Do you think I can allow specifc vlans following username when I used the same SSID and the same authentication ?

cCil

ccil,

Do you want:

If X user authenticates, let them go to VLAN Y?

Hi,

I have 80 users with 4 vlans :

users1 => go to vlan 10

users2 => go to vlan 20

users3 => go to vlan 30

...

with only 4 vlans not more

cCil

ccil,

Before I answer your question:

- Is this to replace an existing system?

- Are you using VLANs for security or access?  If so, what type?