Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 2534 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

802.1x Authentication

Hesham Mahmoud1

Dear Team 

I have a topology like the diagram below and i need to use protocol 802.1x to auth users which connect to the switch from the radius server how can i do it .

 

Note the radius and switch in different subnets .



This thread was automatically locked due to age.
Parents
  • 0

    You mean wired Dot1X?

    In this case the switch would be the Radius Authenticator and the Radius Server would be the authentication server.

    if a client connects to the switch port,  the switch must be able to communicate to the radius server over udp/1812, udp/1813 or udp/1645, udp/1646  (depense on radius server), thus you need to create an ACL to permit traffic on these ports, from the Switchs SVI (probably management IP interface) to the radius server.   (in case of CoA support, additional ACLs from Radius to switch are also necessary). 

    there is really not much todo on the XG firewall to support this. 

    in the other hand there is a lot todo on the Cisco Switch and the Radius Server (I assume you're using microsoft NPS?)

     

    Cisco has some great documents which explain this topic in detail.

    https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

     

     

    a rough summarization about the steps needed:
     
     
    !! Define Radius Server
     
    aaa group server radius MY_RADIUS_SERVER
    server name RADIUS_SERVER1
     
    radius server RADIUS_SERVER1
    address ipv4 x.x.x.x auth-port 1812 acct-port 1813
    timeout 3
    key 0 MYRADIUSKEY
     
    ! additional support for CoA
    aaa server radius dynamic-author
    client x.x.x.x server-key 0 MYRADIUSKEY

    ! active dot1x on your switch

    dot1x system-auth-control 

     
    ! creat dot1x Authentication lists
     
    aaa new-model
     
    aaa authentication dot1x default group MY_RADIUS_SERVER
    aaa authorization network default group MY_RADIUS_SERVER
    aaa authorization network auth-list group MY_RADIUS_SERVER
    aaa accounting dot1x default start-stop group MY_RADIUS_SERVER
    aaa accounting update newinfo
     
     
    ! activate dot1x (and MAB) on switchport 
     
    interface gig1/0/1
    switchport access vlan 20
    switchport voice vlan 2
    switchport mode access
    authentication event fail action next-method
    authentication event server dead action authorize vlan 20
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout supp-timeout 5
    authentication host-mode multi-domain
    spanning-tree portfast edge
     
     
     
Reply
  • 0

    You mean wired Dot1X?

    In this case the switch would be the Radius Authenticator and the Radius Server would be the authentication server.

    if a client connects to the switch port,  the switch must be able to communicate to the radius server over udp/1812, udp/1813 or udp/1645, udp/1646  (depense on radius server), thus you need to create an ACL to permit traffic on these ports, from the Switchs SVI (probably management IP interface) to the radius server.   (in case of CoA support, additional ACLs from Radius to switch are also necessary). 

    there is really not much todo on the XG firewall to support this. 

    in the other hand there is a lot todo on the Cisco Switch and the Radius Server (I assume you're using microsoft NPS?)

     

    Cisco has some great documents which explain this topic in detail.

    https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

     

     

    a rough summarization about the steps needed:
     
     
    !! Define Radius Server
     
    aaa group server radius MY_RADIUS_SERVER
    server name RADIUS_SERVER1
     
    radius server RADIUS_SERVER1
    address ipv4 x.x.x.x auth-port 1812 acct-port 1813
    timeout 3
    key 0 MYRADIUSKEY
     
    ! additional support for CoA
    aaa server radius dynamic-author
    client x.x.x.x server-key 0 MYRADIUSKEY

    ! active dot1x on your switch

    dot1x system-auth-control 

     
    ! creat dot1x Authentication lists
     
    aaa new-model
     
    aaa authentication dot1x default group MY_RADIUS_SERVER
    aaa authorization network default group MY_RADIUS_SERVER
    aaa authorization network auth-list group MY_RADIUS_SERVER
    aaa accounting dot1x default start-stop group MY_RADIUS_SERVER
    aaa accounting update newinfo
     
     
    ! activate dot1x (and MAB) on switchport 
     
    interface gig1/0/1
    switchport access vlan 20
    switchport voice vlan 2
    switchport mode access
    authentication event fail action next-method
    authentication event server dead action authorize vlan 20
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout supp-timeout 5
    authentication host-mode multi-domain
    spanning-tree portfast edge
     
     
     
Children
No Data