802.1x configuration for switch Ports

Similar Messages

• 802.1x configuration for 3500 switch and 2800 switc

  Can anyone point me to a document on how to do a 3500 switch 802.1x configuration as well as a 2800 switch? How do you define the server auth-port? Thanks

  Even tough this link is for CAT6k, it has some very useful screen-shots that will help you to successfully implement dot1x:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml
  Regards
  Farrukh

• 802.1x on the switch port and Macintosh doesn't work

  * When .1x is turned on for a port where a Mac is connected, after the Mac goes to sleep it doesn't get prompted to authenticate until the link on the port is dropped and reinstated?  
  The Mac does not continue to have network  access.
   * When the same occurs for a port where a Windows machine is connected, there is an immediate prompt for authentication?
  Has anyone had this issue? Does anyone know of a solution.
  We are using Cisco ISE 1.2.0 and Cisco 3750 switches with version 12.2(55)SE8

  After 2 TAC cases the solutions comes from Apple. Version 10.10 has resolved issues with 802.1x.

• Template(best practice) for Switch ports

  Hi,
  Looking for best practice advice on switchport config for client facing ports.
  We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
  For Access Ports(First two should stop DTP I'm hoping?):
  switchport mode access
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree portfast
  spanning-tree bpdufilter enable
  spanning-tree guard root
  switchport port-security maximum 10
  switchport port-security
  switchport port-security aging time 10
  And for trunk ports to clients:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan xxx,xxx
  switchport nonegotiate
  storm-control broadcast level 20.00
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  spanning-tree guard root
  Thanks in advance.

  Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
  That's Cisco's branch design doc from Design Zone.
  For those that want a fast answer:
  For VoIP phones and PC:
  interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
  description phone with PC connected to phone
  switchport access vlan 102
  switchport mode access
  switchport voice vlan 101
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  mls qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  For data only:
  interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
  description DATA only ports
  switchport access vlan 102
  switchport mode access
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 100
  load-interval 30
  srr-queue bandwidth share 1 70 25 5
  srr-queue bandwidth shape 3 0 0 0
  priority-queue out
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 100
  That's Cisco's recommendation.
  And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

• Discovering MAC addresses for Switch ports

  Hello and thanks for looking at my question,
  My company has inherited a network which has some very poor documentation. We really have no clue, nor does the customer, what machines are connected to what switch ports.
  My co-worker and I were discussing the best way to find this out with the least amount of effort, but can't agree on a single solution. Any recommendations would be greatly appreciated.
  Thanks.
  Sincerely,
  Brent

  Brent,
  After you do the 'sho arp' and now have MAC to IP translation, do a 'sho mac-address table' to show MAC to port translation. Save both tables to an Excel spreadsheet and tie them together. You should be able to come up with a good cross reference table (depending upon your Excel skills).
  This also gives you a switch-by-switch breakout. It's also a very helpful troubleshooting method to find rouge devices and shut down a port (for instance).
  Hope this is helpful.
  Jim

• Is it possible to configure the switch port to mode trunk if I m going to put a Pc on that port?

  If the answer is yes then what are the adventages and the disadventages of doing this. I've proof this with real switches and configuring the ports as trunk with a pc and the pc can ping other pc that are on the same Vlan or configure as trunk. I would like to know why does that happend?

  Hi,
  It may work, you can configure an interface connecting to host as a trunk link but only if you want that host to receive data from multiple vlans since trunks allowed all vlans per default.
  Usually, on a switch you configure vlans to logically devide the users and to avoid flooding all the users with all the information from multiple vlans which they do not need and which causes unnecessary burden on the ports carrying traffic.
  Hope this helps.

• AP 802.1X switched port-authentication

  Hi,
  I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
  The AP is connected to a switch where the port is not configured for 802.1X.
  On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
  If I connect on the same port a PC using 802.1X,this is working fine..
  Am I missing something to configure on the switch or AP ???
  Any suggestion are appreciated
  Regards
  Omar

  Omar,
  There's a gotcha with this...most likely a trunk issue...
  Here is a snippet for EAPOL guidelines:
  Authentication Configuration Guidelines
  This section provides the guidelines for configuring 802.1x authentication on the switch:
  802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
  802.1x is supported only on Ethernet ports.
  Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
  802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
  802.1x authentication is not supported with the sc1 interface.
  You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
  You cannot enable trunking on an 802.1x port.
  You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
  You cannot enable DVLAN on an 802.1x port.
  You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
  You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
  You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
  You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
  Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
  Here is the url for the link:
  http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

• Access Point configuration for flat network

  We have recently aquired a remote location which has a pre-existing flat network (172.16.X.X/16). Before we are able to convert them over to our new IP scheme, they have a need to have wireless connectivity on site. We have 4 1142's which I need to configure for them. I have experience configuring WLC's and autonomous AP's for networks with multiple vlans but have never configured AP's for a flat, single subnet network. I need to configure them for either guest access (internet only) or corporate access to network resources with radius authentication. Do I configure a native vlan as I would for a typical multi vlan network? Do I configure the switch port as an access port as opposed to a trunk beacause of the lack of layer 3? I basically need a sample configuration for this situation.

  since you are on flat network, you just need to configure the SSID, no need for subinterfaces.  With the AP only servicing the one VLAN you can leave the port as an access port as well.
  as they are on the only subnet, I wouldn't do a 'guest' SSID.  I would go with just the corporate SSID with WPA2/AES/802.1x.  So the config is exactly the same for the RADIUS server and the SSID, but greatly simplified since you don't have to sub-interface anything.
  Steve

• Switch port configuration for 3500i AP

  Hi,
  We are due to install a brand new enterprise WLAN based on the WiSM2 platform, 3502i AP and WCS. The APs will be plugged into the 2960S-24TPS-L.
  I have scanned over all documentation and cannot for the life of me find a recommended switch port configuration for connecting the AP to the switch in terms of speed / duplex etc. For example, should I just configure the port to auto detect, or is forcing the speed / duplex the way to go. I could also do with knowing other best practice configurations for AP connectivity.
  Any help would be greatly appreciated.
  Chris.

  The AP comes online with just auto detect, but I want to know if there are any benefits to forcing this to 1Gbps / Full duplex, or even if this is the right way to go. I suspect auto detect is the best method.

• Configuration Cisco switch 802.1x for ISE

  Hi dears,
  I configurated EAP_FAST authentication on Cisco ISE  from Cisco Video material. Now I need full 802.1X configuration in cisco switch  guide or video link.
  Please provide this.
  Thanks.

  See this link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• LMS 4.2 - How do I find switch ports that are configured as trunks.

  I've been tasked with finding all switch ports that are configured as Trunks. We plan to use LMS 4.2 to push (via Netconfig) new interface level commands to all user (non-trunked) ports. From my experience, this poses a problem because we do not know which ports are configured as trunks -vs- user ports.
  Using Netconfig is not going to be easy since there is no way to script this. It would be great if I could run a show command on a switch and then have CWSI peform a change based upon the output.
  In other words, we need a way to run a job based upon the output of a command.
  Is there a section of LMS that I could use for help with this?
  Thanks,

  You need to go to Monitoring>Dashboard. Here Just click the switch in the Llisted device and then click the interface you will find the all the down and Up interface with type of configuration (i.e. Trunk or Access.)

• Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

  Hi
  All our switchports is configured to validate the connected device with 802.1x
  However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
  I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

  Hi,
  The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
  Cisco unified APs however supports only EAP-FAST as the EAP method.
  Here is a config example, hope it'll be useful.
  http://goo.gl/HMbiHL
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Switch configuration for AP's

  We are trying to install a 2106 controller with a few 1261 AP's which we have downgraded to Lightweight.
  We are getting our head around the 2106 config but am unsure as to what config to put on the switchport the AP's connect to.
  As far as our reading goes it is best practice to plug the AP's into a network swtich and trunk vlan's from the switch to the controller.
  Bit confused about the way the AP's connect to the switch.
  Thanks
  Roger

  Hi,
  As I understood ... you need to map existing vlan subnet with your wlan ...
  you will have interfaces which you first need to configure on your controller .
  1) Management IP of wlc
  2) AP- manager
  3) dynamic interface which will be used to map the vlan with respective wlan
  4) virtual
  procedure :
  1) if you do not have dhcp seperate configured , first you need to create vlan then configure svi interface with ip address and  dhcp pool for your ap to get ip address in your l3 switch which is connected to your controller with default-router command which will point to your switch
  2) login to your controller through console and configure the management IP address
  command  : WLC( config ) > interface address management ... ip address... mask .... gateway ( it will be your switch )
  configure AP-manager interface with above command with ap manager option ..
  Now switch side you configure the one port which is connected to your controller as a TRUNK
  connect ap to any port which will configured with above vlan which you have configured in l3 switch
  Now AP should get registered and then follow below procedure for getting client connected to respective WLAN
  3 ) once you configure login to gui of controller and configure dynamic interface with existing vlan subnet and give the dhcp server ip address if you have or else configure the dhcp pool for users also.
  4) go to " wireless " option
  5) select the respective wlan and map the vlan with respective dynamic interface
  check whether clients got ip address.
  please let me know ........ if you have doubt about it