Home > CISCO, Security > Freeradius – and Cisco 802.1x configuration

Freeradius – and Cisco 802.1x configuration

July 8th, 2009

If you want to practice radius configuration, or if you are testing a Cisco RADIUS setup without having access to the production server, here is a nice solution and sample config.

The Cisco configuration is for the IOS.  If you want to know how to configure on CatOS, read this post

If you want to practice radius configuration in your lab, there is a free radius server that can be used (I actually used this on my laptop at T5, to test the Aruba EAP-TLS config., which I had to do because the actual production radius server was to be on the BA (not BAA) network.

Freeradius download:

Install on your PC and configure ‘clients.conf’ file on freeradius (clients actually means the switch – in radius-speak a NAS (network access server).  The clients.conf file is well commented and the task should be straightforward.

Then set up a cisco switch to use 802.1x (http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1216ea2/scg/swg8021x.htm#60637 )
note of interest:  on Aruba it is two commands.

conf t
aaa new-model
aaa authorization network radius
aaa authentication login admin local
aaa authentication dot1x default group radius
username admin password banana
dot1x system-auth-control
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key testing123  <=== where ‘x.x.x.x’ is the ip address of the radius server

now verify (Sysauthcontrol needs to show Enabled)

show dot1x
(Sysauthcontrol  = Enabled)

After you are done doing this when you try to log back into the switch you will be prompted for a username and password. The same username and password are the ones you specified under username and password. Make sure that the shared secret (key) for the radius server corresponds to the entry in clients.conf in freeradius configuration.

To configure a user switchport for 802.1x:

Edit “users” on freeradius (again, straightforward), then on the cisco switch:

conf t
interface fastethernet0/1
dot1x port-control auto

If you have multiple hosts behind a port ie. there is a switch connected to a port you need to enable following when configuring an interface

interface fastethernet0/1
dot1x port-control auto
dot1x multiple-hosts  <==== !

Categories: CISCO, Security Tags:
Comments are closed.