Solved

HOW TO ENABLE ROUTER COMMANDS FOR RADIUS

Posted on 2011-03-10
9
513 Views
Last Modified: 2012-06-21
Hi ive setup and configured 'radius/IAS & tested via a client pc successful logon.

I also added a 'VPN' as a way to confirm 'radius/IAS' was configured correctly as per experts advice and the client could still logon successfully, confirming my configurations were correct.

I also prior to setting up the vpn downloaded a program called 'Radl' which tests if 'radius' was configured correctly but it showed an error so i went through my kinstructions and the error dissappeared so i assumed i had configured it correctly.  Then i setup the 'VPN' and the client could logon also.

On the otherside of this question i wanted to know how to practically add the commands below, so if I was to plug my server with the above configurations direct into my fa0/0 port is this where I would then use the commands, so with what i have don already above im not sure how to do the below:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

im assuming i would not configure 'radius/IAS' on the Server as it would be going direct via the router dependant on companies hardware/IOS etc - not sure!!
0
Comment
Question by:mikey250
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35128177
Not quite sure what you are asking :)
0
 

Author Comment

by:mikey250
ID: 35146923
I have never ever used these commands although I have them.  So wanted to know how i connect devices up in its simplest terms and where I add these commands?

This part I add on a router:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

This part I add on a switch:

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto


But what do I configure on the Server?
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35151004
Why are configuring dot1x? Are you trying to setup Windows Network Policy Server or NAP protection?
0
 

Author Comment

by:mikey250
ID: 35155169
I just wont to know how to make use of it so I know.  As for if is used with Windows Network Policy Server or NAP protection, I wouldn't have a clue.  Once I know then that it is!!!!!!!!!!!!1:)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 11

Accepted Solution

by:
donmanrobb earned 500 total points
ID: 35157613
Ok then...

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

is conifgured entirely on the switch since it is doing the dot1x not the router.
Additionally you will need to add aaa authentication login default local to ensure you don't lock yourself out of the switch.

All other configuration would be done on the radius server.

0
 

Author Comment

by:mikey250
ID: 35171781
ok!!!!  but if i have already successfully configured just to test I can practically do it ie setup:  win 2003 server, dns, dhcp AND Radius/IAS AND allow a user to logon successfully, then WHY do I NEED to add the following:

"radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius

when Win 2003 Radius & IAS - that does the AAA process is already done?

Im assuming although my previous win 2003, dns & dhcp & sp2 added & Radius/IAS are successful, Im assuming it is because I am now using a 'Switch' that I have to NOW repeat the above?
0
 

Author Comment

by:mikey250
ID: 35171800
ive looked on one of my 'routers' and 'aaa new-model' etc etc as per main thread CAN ALSO use these commands, which presumably means if 'NO SWITCH' is being used and the 'server' is plugged directly into the 'eth/fa0' port then this can be done!!!??

as it is suggested that a router is 'NOT USED', although obviously the following command should be added on a switch, so 'NOT' sure what i am to do with this command below:?

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto
0
 
LVL 11

Assisted Solution

by:donmanrobb
donmanrobb earned 500 total points
ID: 35172773
aaa authentication dot1x default group radius allows the switch to be the 802.1x enforcement point, if the IAS server denies authentication then the switch can take action.

Pretty much any Cisco device supports AAA commands but since your probably not connecting users directly into your router ports you probably don't need dot1x setup on the router at this time.

On the switch the idea is you would add

switchport mode access
dot1x port-control auto

To each user port you want to use 802.1x with, which would basically mean if they are compliant they can access your network but if they are not (like a guest user) they will not be permitted on the network.
0
 

Author Closing Comment

by:mikey250
ID: 35193341
just to bring a bit of clarity to my own comments in relation to the experts just as a reminder to myself if I need to look back!!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now