Cisco switch radius authentication configuration

Network switches can be configured to authenticate users first and then access can be given to the users. This will make sure any authorized users are not getting network access. In this post we will learn configuration of Cisco switch for 802.1x authentication of users using a radius server.

There are three things which need to be configured for giving network access to only authenticated users.

1> Switch configuration

2> Supplicant configuration (Windows NIC configuration for 802.1x)

3> Radius server configuration.

Check the post to learn on configuration of Cisco ISE and Windows workstation configuration for 802.1x

Cisco switch radius authentication configuration

There is some configuration which need to be done globally and some configuration need to be done on per port basis. For testing we can configure one of the switch port where the end user will connect their workstation. 802.1x need to configured on the access ports only. Configuring on trunk ports is not supported.

!Enter into configuration mode:
configure terminal

!Enable AAA on switch
aaa new-model

! IP address of radius server 1
! Ensure to put strong key in this example I have kept key as cisco
radius server Radius_Server_IP_1
address ipv4 auth-port 1812 acct-port 1813
key 0 cisco 

! IP address of radius server 2 (Optional but needed for redundancy)
radius server Radius_Server_IP_2
address ipv4 auth-port 1812 acct-port 1813
key 0 cisco

! Group the radius server into a single group.
aaa group server radius Radius_Server_Group
server name Radius_Server_IP_1
server name Radius_Server_IP_2

! Enable 802.1x on the switch

dot1x system-auth-control

! Authentication and authorize the users for network access against the group we created above
aaa authentication dot1x default group Radius_Server_Group
aaa authorization network default group Radius_Server_Group

! Send VSA attributes in accounting
radius-server vsa send accounting
radius-server vsa send authentication

! Add more attributes to be send to ISE
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include

! Configure switch to send only new updates to ISE and start, stop packets.
aaa accounting update newinfo
aaa accounting dot1x default start-stop group Radius_Server_Group

!Configure switch to listen for Change of authorization CoA.
aaa server radius dynamic-author
client server-key cisco
client server-key cisco

! interface configuration, We need to apply on all interfaces where we want to enable 802.1x authentication, except trunk port.

interface GigabitEthernet2/0/37
 switchport access vlan 16
 switchport mode access
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 dot1x pae authenticator

Verification on Switch:

In the below output we can see that authentication method is dot1x and state is “Authc Success”. Status is also shows as authorized. Switch have also learned about the ip address of the endpoint. We can also push a access control list on the network switch per port basis, we call it as DACL (Downloadable access control list) .

Cisco switch radius authentication configuration

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.