AAA using Radius with 802.1x

Hello there,
We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2).  We use radius for AAA authentication and I've been reading that .1x uses radius.  How is that going to work?  Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1?  I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
Any advise, assistance would be greatly appreciated!
Thanks
Kiley

Salodh,
Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports.  Thanks very much for your reply!

Similar Messages

  • AAA using RADIUS

    GOod morning all,
    I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
    Dwane

    For routers and IOS switches:
    aaa new-model
    aaa authentication banner *Unauthorized Access Prohibited*
    aaa authentication login default group radius
    radius-server host 10.10.10.10 (your acs device)
    radius-server key cisco123
    radius-server configure-nas
    username nmg password telnet
    aaa authentication ppp dialins group radius local
    aaa authentication login nmg local
    aaa authorization network default group radius local
    aaa accounting network default start-stop group radius
    aaa processes 16
    line 1 16
    login authentication
    For CatOS switches:
    Set radius-server 10.10.10.10
    show radius
    set radius key cisco123
    set authentication login radius enable
    set authentication enable radius enable
    show authentication
    set radius timeout 5
    set radius retransmit 3
    set radius deadtime 3
    For Pix Firewalls:
    aaa authentication ssh console radius LOCAL
    aaa authentication telnet console radius LOCAL
    aaa-server radgroup protocol RADIUS
    max-failed-attempts 2
    reactivation-mode depletion deadtime 5
    exit
    (NOTE: This will depending on the location of the pix firewall)
    aaa-server radgroup (inside) host 10.10.10.10
    key XXXXXXX
    exit
    aaa-server radgroup(inside) host 10.10.10.10
    key XXXXXX
    exit
    This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
    If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
    Hope this helps some. I had alot of help from Cisco TAC on this.
    Dwane

  • School network uses WEP with 802.1x  Encryption How do I connect?

    My University uses WEP with IEEE 802.1x Encryption with Protected EAP. There are two wireless networks I can connect to and they both use the same security settings. In order to connect on my laptop, I have to enter an User name and Password. I have to use the same user name and password to log on with my iPod touch. The problem is that while both school networks show up on my touch, I can not connect to either because I am only prompted for a password when I need to enter both a user name and password. As far as I can tell, this is not possible on my touch.
    Is there a correct way to do this? Is this feature even supported by the iPod touch? Any help would be greatly appreciated.
    Thank you

    Followed your links and did some searching on the website.
    found this page: http://www.calumet.purdue.edu/ctis/wireless_drop.html
    And I think this might be the problem:
    "How Wireless Access Works
    Wireless access points emanate radio signals in a similar manner to non-cellular cordless phones. The signals are strong enough to be received up to 50 to 100 feet from each access point (and possibly further, if the access point is equipped with an external antenna). These signals can be received by laptops and PDA's that are equipped with a standard 802.11b/g wireless card. This feature can be requested when ordering a new laptop computer, or an 802.11b/g card can be purchased and added to most older laptops. _Please note that the iPhone, iTouch, and any device with a palm OS is not compatible with the wireless network_."

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • Send vlan via Radius with 802.1x Authentication

    Hi all.
    I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
    I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
    Reading docs, I have found these attributes:
    cisco-avpair="tunnel-type(#64)=VLAN(13)"
    cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
    but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
    Here are some outputs:
    Sending Access-Challenge of id 80 to 128.0.0.21:1812
    Cisco-AVPair = "tunnel-type=VLAN"
    EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf88b9673c199cb13def96563250cf8a7
    I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
    02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
    02:49:39: Attribute 26 75 0000000901457475
    02:49:39: Attribute 79 6 03010004
    02:49:39: Attribute 80 18 1ABB3507
    02:49:39: Attribute 1 10 74657374
    02:49:39: RADIUS: EAP-login: length of eap packet = 4
    02:49:39: RADIUS: EAP-login: radius didn't send any vlan
    so I can see that radius is not sending anything about vlan...
    Has anyone alredy tried this set up?
    Thank you in advance.
    Massimo Magnani.

    OK, so I may have glossed over that before. From your debug post, you had:
    Cisco-AVPair = "tunnel-type=VLAN"
    Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
    You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
    [64] Tunnel-Type – “VLAN” (13)
    [65] Tunnel-Medium-Type – “802” (6)
    [81] Tunnel-Private-Group-ID - "" OR ""
    They are defined in RFC 2868.
    Hope this helps,

  • RV220W - Wrong NAS Port-Type using RADIUS for 802.11

    Hi everyone
    I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
    The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
    All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
    This is what the request from the RV220W looks like on the server:
    And this is a request from a similar Zyxel Router:
    How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
    Thank you for your support!

    The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
    However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
    While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
    I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
    Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
    http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
    http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

  • I have a new MBRP. On wired ethernet it can be used as a wireless hotspot. Since 802.11ac gets better range I'd like to use it with 802.11ac as a hotspot for my older 802.11g/ndevices. Can I do that ?

    I know that if I use wired ethernet then the  MBRP can be a wirelss hotspot for other devices. Since the MBRP supports 802.11ac and I have a new 802.11ac wireless router it gets much better range than my older 802.11/n devices.  There are places in teh house where the MBRP connects to the wireless but where older 802.11g/n devices lare out of range. In those rooms I'd like to use my MBRP connected to the network wirelessly using 802.11ac as a hotspot for the nearby 802.11 g/n devices. Anyone know if that can be done and how to do it ?

    Turn on Internet Sharing in Sharing preferences. Share the Ethernet connection to wireless.

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • CCKM with 802.1x authentication

    Hi,
    Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication.  Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
    Regards,
    Jubair.S

    Yes, You can. 
    Refer this document which clearly state it
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
    802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • ASA - logging via radius with group name passed.

    Hi,
    I'm trying to setup ASA5520 with Radius to authenticate users with group
    privileges.
    Useing Radius with ASA to authenticate users is quite simple. When I try
    to pass from asa tunnel-group name (with group-policy and attributes
    attached) there is a problem that ASA dosn't pass any group name to
    radius.
    Is there any way to overcome it?
    What I want to do is to apply different policies to username depending
    with what tunnel-group name he logs in to webvpn. I assume one user may
    be member of different groups.
    br
    Marcin

    It's possible.
    Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
    Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
    Long winded, I know...any questions, please ask.

  • Using Non-Apple 802.11N Adapters with Airport Extreme

    I have an Airport Extreme Base Station but both N enabled and G enabled Macs in the house. I'd really like to set up the network as an N network. And since I can upgrade the Airport Cards in the older Macs, can I use 3rd Party 802.11N adapters (USB 2.0 for example) to get the older Macs onto the N network? Otherwise, it seems to defeat the purpose of having the 802.11N enabled Airport Extrement and iMacs.
    I see that Netgear and Edimax have such adapters, but neither lists Mac OSX as a supported OS.
    Thank you.

    Thank you for your comment. But unfortunately, I still need to run my non-N machines. So I think my choices are:
    1. Try somehow to replace the older Airport Cards in those machines with N-Cards which seem like a pain
    2. Have 2 networks, one N and one non-N
    3. Try some of these 3rd Party USB or PC Card Slot N-Adapters
    Seems like 3. is the least painful option?
    Any advice on whether I can use 3rd Party N-Adapter would be very appreciated! Thanks again!

  • 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

    Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

    SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

  • Using RADIUS without enabling AAA

    is there anyway I can use a RADIUS server without enabling/using AAA.
    is there any command "ip auth radius ... " ?
    cudnt find anything on cisco as such.

    Swapnendu
    Am I correct in assuming that you are talking about on IOS based routers or catOS switches? If so I believe that the only way to use Radius is to use AAA.
    HTH
    Rick

  • Using an Older (802.11g) Airport Extreme as bridge with Time Capsule

    Several people have inquired about the possibility of having older (802.11g) computers and devices connected through their Time Capsules without disturbing the 802.11n capabilities of their newer equipment.
    The latest version of Designing AirPort Networks Using AirPort Utility --
    http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf -- explains (pp. 48-49) that one can configure a dual-band (2.4 GHz & 5 GHz) network of this type by setting up the "second device [i.e., the older Airport Extreme] as a bridge." What is lacking is a clear (at least to me) way of configuring the 2.4 GHz Extreme as such a bridge, although the text states that one need only follow instructions "earlier in this chapter" (which begins at p. 14). When I try to do this, the AirPort Extreme shows up as a separate network.
    Obviously, I am doing something wrong. Can someone walk me through how to configure the AirPort Extreme as a bridge?
    Thanks.

    The MAC support people walked me through a solution to my question about using an older (802.11g) AirPort Extreme and a Time Capsule to form a dual network. The solution turns out to be pretty easy but I am posting it in case anyone else has a similar problem.
    Here's what was involved:
    N-capable equipment: MacBook Pro, IMac, Time Capsule.
    B/G-capable equipment: AirPort Extreme (flying saucer 802.11g); Mac G4; older (802.11g) AirPort Express supporting a network printer; IBM ThinkPad running Windows XP (w/service pack 2).
    Step 1: Using AirPort Utility (manual setup), I set the Time Capsule to run at 5 GHz (click on "Wireless" then "Radio Mode". Under the same "Wireless" tab, I assigned a 13-digit WPA2 password to this network (more about this latter). If you opt to use the 5GHz frequency, you have the choice of WPA2 or nothing. After saving your settings, exit out of the AirPort Utility; you are done with the Time Capsule.
    Step 2: Reset the AirPort Extreme to its default settings by depressing the small reset button while the device is plugged in.
    Step 3: I reopened AirPort Utility, accessed the Extreme and clicked manual setup. (You will loose your connection to the Time Capsule at this point, but this is okay.) At the top of the screen that opens in response to clicking "manual setup," click "internet" and set "connection sharing" to "Off (Bridge Mode)" Next click "AirPort" at the very top of the screen: under "Base Station" I named the Extreme as "G network" and set up a network password. Under "Wireless" I next set up a WEP 40 bit password which was identical to the WPA2 password I used for the Time Capsule. Using a WEP password was necessary, because some of the older computers were not WPA2 compatible. I kept the passwords identical simply as a matter of convenience.
    Step 4: Connect the AirPort Extreme to the Time Capsule using an Ethernet cable between the WAN port of the Extreme, and one of the three LAN ports on the Time Capsule. There is a small, green LED recessed in the LAN port socket; if it lights up, you are in business.
    Step 5: Using a pin, I reset the 802.11g AirPort Express to its default settings, opened AirPort Utility (no need for manual setup for this), named the Express "Printer" and added it to the G network in a conventional manner by following the setup prompts. (If anyone needs help with this, let me know). Exit out of AirPort Utility and reopen it to refresh; all wireless devices (3 in my case) should be visible and lighted green.
    Step 6: I set up the MacBook Pro and the IMac to join the 5 GHz Time Capsule network, and everything else to run on the G network. At this point, everything appears to be working. I can, for example, print a document from my MacBook Pro (N-network) to the network printer which on the G-network. (Because the older computers belong to my daughters, I'll never know if file sharing across the networks is a possibility.)
    I take no credit for any of this; it was all accomplished through the efforts of very patient MAC support people.
    Carl

  • WPA with 802.1x authentication

    Hi experts,
    I need clarification in a fundamental concept.
    Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
    If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
    Thanks in advance
    regards,RB

    You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
    aaa group server radius rad_eap
    server 192.168.0.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    dot11 ssid ccie
    authentication open eap eap_methods
    authentication network-eap eap_methods
    guest-mode
    radius-server local
    nas 192.168.0.1 key cisco
    user test password test
    radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
    LAP Controller local EAP is configurable through GUI

Maybe you are looking for

  • Customer clearing

    hi, may i know where can see customer account is open item managed. the recon account for customer is not open item managed. in fb05 i do doc type DZ for transaction incoming payment. in first line item i put pk40 for bank clearing and open item sele

  • HP Officejet Pro 8600 Premium won't print wirelessly

    Ok, I have been having this problem for about a month now and cannot seem to fix it.  I have an Officejet 8600 Pro Premium that I recently bought for my business to replace my old 6500. I love the printer so far but there is one problem that is extre

  • How to use MRP for generate PO? any samlpe?

    I want to know how to using the MRP for generate purchase order. have any documents for showing the steps by using MRP? Thanks. On

  • Third party backup software, how is the log sequence working?

    Me and a colleague had a discussion about how third party software and full backups locally on the SQL works together. If we use TSM that do full backups and then logbackups every hour in between for example. If I between the two full backups from TS

  • Portrait Video shows in Landscape

    I shot video in Portrait view. I synced it to iPhoto, dragged it back to iTunes and synced it back to my iPhone. (a tedious and odd process) But now iPod on the iPhone wants to show my portrait video in landscape. How do I view it in portrait?