Monday, September 29, 2008

Dot1x Authentication

The DOC cd is pretty good at providing the basic configuration that is necessary to achieve this.

Following the doc cd the config would be as follows:-

configure terminal
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host
radius-server key CISCO

int fa0/8
switchport mode access
dot1x port-control auto

One item of concern here is to not inadvertently lock yourself out of the switch. Once dot1x is enabled this will be used for all interfaces, console and vty, and unless an alternative method is specified username and password will be prompted for, even if not configured! Hence this needs to be addressed in the solution. I show a couple of workarounds here:-

The sledgehammer approach:
aaa authentication login default none

A more granular approach:
aaa authentication login myvty none
aaa authentication login mycon none
line vty 0 4
login authentication myvty
line con 0
login authentication mycon

One further point to err on the side of caution. Before logging out of the switch do NOT save the config and issue the reload in 5 command. This way if there is an error in your script at least you will be able to get back in if you wait 5 minutes! Of course if all is OK and access is granted simply cancel the reload (reload cancel) and save the config. A useful backdoor when changing access configuration to any device.

Once dot1x is globally enabled access ports are NOT entered into dot1x control by default. The default is NO dot1x - this can be seen by executing the 'show dot1x' command. To enable dot1x do so as specified above i.e. dot1x port-control auto. Any attached device will NOT get any access until the radius credentials have been satisfied. Two other dot1x states that can be set are 'force-authorised' and 'force-unauthorised'.

An alternative to
aaa authentication login myvty none
aaa authentication login myvty line

the later then requires standard vty password to be set.
config-line#password cisco
config#enable password cisco

No comments: