Network switches can be configured to authenticate users first and then access can be given to the users. This will make sure any authorized users are not getting network access. In this post we will learn configuration of Cisco switch for 802.1x authentication of users using a radius server.
There are three things which need to be configured for giving network access to only authenticated users.
1> Switch configuration
2> Supplicant configuration (Windows NIC configuration for 802.1x)
3> Radius server configuration.
Check the post to learn on configuration of Cisco ISE and Windows workstation configuration for 802.1x
Cisco switch radius authentication configuration
There is some configuration which need to be done globally and some configuration need to be done on per port basis. For testing we can configure one of the switch port where the end user will connect their workstation. 802.1x need to configured on the access ports only. Configuring on trunk ports is not supported.
!Enter into configuration mode: configure terminal !Enable AAA on switch aaa new-model ! IP address of radius server 1 ! Ensure to put strong key in this example I have kept key as cisco radius server Radius_Server_IP_1 address ipv4 10.16.3.1 auth-port 1812 acct-port 1813 key 0 cisco ! IP address of radius server 2 (Optional but needed for redundancy) radius server Radius_Server_IP_2 address ipv4 10.17.1.8 auth-port 1812 acct-port 1813 key 0 cisco ! Group the radius server into a single group. aaa group server radius Radius_Server_Group server name Radius_Server_IP_1 server name Radius_Server_IP_2 ! Enable 802.1x on the switch dot1x system-auth-control ! Authentication and authorize the users for network access against the group we created above aaa authentication dot1x default group Radius_Server_Group aaa authorization network default group Radius_Server_Group ! Send VSA attributes in accounting radius-server vsa send accounting radius-server vsa send authentication ! Add more attributes to be send to ISE radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 25 access-request include ! Configure switch to send only new updates to ISE and start, stop packets. aaa accounting update newinfo aaa accounting dot1x default start-stop group Radius_Server_Group !Configure switch to listen for Change of authorization CoA. aaa server radius dynamic-author client 10.16.37.1 server-key cisco client 10.17.1.88 server-key cisco ! interface configuration, We need to apply on all interfaces where we want to enable 802.1x authentication, except trunk port. interface GigabitEthernet2/0/37 switchport access vlan 16 switchport mode access authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator
Verification on Switch:
In the below output we can see that authentication method is dot1x and state is “Authc Success”. Status is also shows as authorized. Switch have also learned about the ip address of the endpoint. We can also push a access control list on the network switch per port basis, we call it as DACL (Downloadable access control list) .
