If there is one thing we all know when it comes to network security it is that we need to know just who and what are on our networks. That’s a very broad and easy statement to make though. In the last, authentication started with wireless users. First it was static pre-shared key authentication and later enterprise grade authentication started being used. The methods have changed here and there, but Dot1X (802.1X) authentication has become the standard.
Now a lot of users are shifting to using wireless connectivity, that’s no secret, but that absolutely does not mean that wired network access can be overlooked. Arguments can be made that wired authentication can even be MORE important. That’s where the need to configure wired Dox1X authentication comes into play. Regardless of what you have in place for a radius server to handle these requests, this Cisco Dot1X Setup Guide will outline how to configure your Cisco Catalyst switch to handle new connections and reach out to your radius server for user and device authentication.
Dot1X Global Configuration
First thing that needs to be done is to enable “aaa new-model”. Without that, other commands in this guide will not be available and we will not be able to use the needed aaa method lists we’ll setup later inthisguide. This is done with one simple command:
From there, the next commands in this guide become available to use. This first involves adding a radius server. This is pretty straight forward and unless you’ve modified things elsewhere in your environment, you can use the standard ports as well as long as you haven’t changed them in your environment. Let’s get that new server added. In my case, it’s an ISE version 3.0 Server if the server name didn’t give it away:
iosvl2-0(config)#radius server ISE30 iosvl2-0(config-radius-server)#address ipv4 172.16.1.200 auth-port 1812 acct-port 1813 iosvl2-0(config-radius-server)#timeout 2 iosvl2-0(config-radius-server)#retransmit 1 iosvl2-0(config-radius-server)#key theroutingtable
Now the radius server has been globally added. We needs to create aaa server groups next. This allows you to configure everything using a group of servers versus just one for redundancy. In this example though, I will only be using one since it’s just a lab for me. The next commands create your aaa server group with the new radius server we just defined:
iosvl2-0(config)#aaa group server radius dot1x iosvl2-0(config-sg-radius)# server name ISE30
Now that our radius servers are all defined, we need to setup the global authentication, authorization, and accounting commands that you might have seen before. Again, remember the earlier names you used and make sure they match in these commands. Use caution if you already have aaa methods configured on your switch as well.
iosvl2-0(config)#aaa authentication dot1x default group dot1x iosvl2-0(config)#aaa accounting dot1x default start-stop group dot1x iosvl2-0(config)#aaa authorization network default group dot1x
Lastly, in terms of needed global commands, there is one more command we are looking to enter. This command actually enables Dot1X globally. To do so, the command is:
Dot1X Port Level Configuration
Last thing to do before your switch will begin trying to authenticate users and devices with your radius server is to enable authentication on a port-level basis. You can do this on one command or use the interface range command to enable on multiple interfaces. There are two commands to accomplish this. Those would be:
iosvl2-0(config)#interface Gi0/0 iosvl2-0(config-if)#authentication port-control auto iosvl2-0(config-if)#dot1x pae authenticator
From here, go ahead and try connecting a device to the switch you are working with. You should begin seeing requests from the switch flow to your radius server defined in the earlier steps.
There are a lot of different things to consider before enabling this globally on your switches though. How many devices do you have on each switchport? Are IP Phones used? Is CDP enabled? I say all of that because there is a lot to consider with Dot1X design in your network. I’ll cover some of these things in future posts.