{"id":162,"date":"2009-07-08T12:03:11","date_gmt":"2009-07-08T11:03:11","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=162"},"modified":"2009-07-25T09:16:20","modified_gmt":"2009-07-25T08:16:20","slug":"freeraduis-%e2%80%93-and-cisco-802-1x-configuration","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=162","title":{"rendered":"Freeradius \u2013 and Cisco 802.1x configuration"},"content":{"rendered":"<p>If you want to practice radius configuration, or if you are testing a Cisco RADIUS setup without having access to the production server, here is a nice solution and sample config.<\/p>\n<p>The Cisco configuration is for the IOS.\u00a0 If you want to know how to configure on CatOS, read <a href=\"http:\/\/darenmatthews.com\/blog\/?p=219\">this post<\/a><!--more--><\/p>\n<p>If you want to practice radius configuration in your lab, there is a free radius server that can be used (I actually used this on my laptop at T5, to test the Aruba EAP-TLS config., which I had to do because the actual production radius server was to be on the BA (not BAA) network.<\/p>\n<p>Freeradius download:<br \/>\n<a href=\"http:\/\/freeradius.net\/FreeRADIUS.net_PN764\/index.php?name=Downloads&amp;req=viewdownloaddetails&amp;lid=9\">http:\/\/freeradius.net\/FreeRADIUS.net_PN764\/index.php?name=Downloads&amp;req=viewdownloaddetails&amp;lid=9<\/a><\/p>\n<p>Install on your PC and configure &#8216;clients.conf&#8217; file on freeradius (clients actually means the switch &#8211; in radius-speak a NAS (network access server).\u00a0 The clients.conf file is well commented and the task should be straightforward.<\/p>\n<p>Then set up a cisco switch to use 802.1x (<a href=\"http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/lan\/cat2950\/1216ea2\/scg\/swg8021x.htm#60637\">http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/lan\/cat2950\/1216ea2\/scg\/swg8021x.htm#60637<\/a> )<br \/>\nnote of interest:\u00a0 on Aruba it is two commands.<\/p>\n<p>conf t<br \/>\naaa new-model<br \/>\naaa authorization network radius<br \/>\naaa authentication login admin local<br \/>\naaa authentication dot1x default group radius<br \/>\nusername admin password banana<br \/>\ndot1x system-auth-control<br \/>\nradius-server host x.x.x.x auth-port 1812 acct-port 1813 key testing123\u00a0 &lt;=== where &#8216;x.x.x.x&#8217; is the ip address of the radius server<\/p>\n<p>now verify (Sysauthcontrol needs to show Enabled)<\/p>\n<p>show dot1x<br \/>\n(Sysauthcontrol\u00a0 = Enabled)<\/p>\n<p>After you are done doing this when you try to log back into the switch you will be prompted for a username and password. The same username and password are the ones you specified under username and password. Make sure that the shared secret (key) for the radius server corresponds to the entry in clients.conf in freeradius configuration.<\/p>\n<p>To configure a <span style=\"text-decoration: underline;\">user <\/span>switchport for 802.1x:<\/p>\n<p>Edit &#8220;users&#8221; on freeradius (again, straightforward), then on the cisco switch:<\/p>\n<p>conf t<br \/>\ninterface fastethernet0\/1<br \/>\ndot1x port-control auto<br \/>\nCtrl-Z<\/p>\n<p>If you have multiple hosts behind a port ie. there is a switch connected to a port you need to enable following when configuring an interface<\/p>\n<p>interface fastethernet0\/1<br \/>\ndot1x port-control auto<br \/>\ndot1x multiple-hosts\u00a0 &lt;==== !<strong><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you want to practice radius configuration, or if you are testing a Cisco RADIUS setup without having access to the production server, here is a nice solution and sample config. The Cisco configuration is for the IOS.\u00a0 If you want to know how to configure on CatOS, read this post<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,13],"tags":[3],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/162"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=162"}],"version-history":[{"count":4,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/162\/revisions"}],"predecessor-version":[{"id":164,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/162\/revisions\/164"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=162"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}