?
Solved

HOW TO ENABLE ROUTER COMMANDS FOR RADIUS

Posted on 2011-03-10
9
Medium Priority
?
528 Views
Last Modified: 2012-06-21
Hi ive setup and configured 'radius/IAS & tested via a client pc successful logon.

I also added a 'VPN' as a way to confirm 'radius/IAS' was configured correctly as per experts advice and the client could still logon successfully, confirming my configurations were correct.

I also prior to setting up the vpn downloaded a program called 'Radl' which tests if 'radius' was configured correctly but it showed an error so i went through my kinstructions and the error dissappeared so i assumed i had configured it correctly.  Then i setup the 'VPN' and the client could logon also.

On the otherside of this question i wanted to know how to practically add the commands below, so if I was to plug my server with the above configurations direct into my fa0/0 port is this where I would then use the commands, so with what i have don already above im not sure how to do the below:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

im assuming i would not configure 'radius/IAS' on the Server as it would be going direct via the router dependant on companies hardware/IOS etc - not sure!!
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35128177
Not quite sure what you are asking :)
0
 

Author Comment

by:mikey250
ID: 35146923
I have never ever used these commands although I have them.  So wanted to know how i connect devices up in its simplest terms and where I add these commands?

This part I add on a router:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

This part I add on a switch:

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto


But what do I configure on the Server?
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35151004
Why are configuring dot1x? Are you trying to setup Windows Network Policy Server or NAP protection?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:mikey250
ID: 35155169
I just wont to know how to make use of it so I know.  As for if is used with Windows Network Policy Server or NAP protection, I wouldn't have a clue.  Once I know then that it is!!!!!!!!!!!!1:)
0
 
LVL 11

Accepted Solution

by:
donmanrobb earned 2000 total points
ID: 35157613
Ok then...

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

is conifgured entirely on the switch since it is doing the dot1x not the router.
Additionally you will need to add aaa authentication login default local to ensure you don't lock yourself out of the switch.

All other configuration would be done on the radius server.

0
 

Author Comment

by:mikey250
ID: 35171781
ok!!!!  but if i have already successfully configured just to test I can practically do it ie setup:  win 2003 server, dns, dhcp AND Radius/IAS AND allow a user to logon successfully, then WHY do I NEED to add the following:

"radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius

when Win 2003 Radius & IAS - that does the AAA process is already done?

Im assuming although my previous win 2003, dns & dhcp & sp2 added & Radius/IAS are successful, Im assuming it is because I am now using a 'Switch' that I have to NOW repeat the above?
0
 

Author Comment

by:mikey250
ID: 35171800
ive looked on one of my 'routers' and 'aaa new-model' etc etc as per main thread CAN ALSO use these commands, which presumably means if 'NO SWITCH' is being used and the 'server' is plugged directly into the 'eth/fa0' port then this can be done!!!??

as it is suggested that a router is 'NOT USED', although obviously the following command should be added on a switch, so 'NOT' sure what i am to do with this command below:?

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto
0
 
LVL 11

Assisted Solution

by:donmanrobb
donmanrobb earned 2000 total points
ID: 35172773
aaa authentication dot1x default group radius allows the switch to be the 802.1x enforcement point, if the IAS server denies authentication then the switch can take action.

Pretty much any Cisco device supports AAA commands but since your probably not connecting users directly into your router ports you probably don't need dot1x setup on the router at this time.

On the switch the idea is you would add

switchport mode access
dot1x port-control auto

To each user port you want to use 802.1x with, which would basically mean if they are compliant they can access your network but if they are not (like a guest user) they will not be permitted on the network.
0
 

Author Closing Comment

by:mikey250
ID: 35193341
just to bring a bit of clarity to my own comments in relation to the experts just as a reminder to myself if I need to look back!!!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Learn about cloud computing and its benefits for small business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question