Solved

HOW TO ENABLE ROUTER COMMANDS FOR RADIUS

Posted on 2011-03-10
9
527 Views
Last Modified: 2012-06-21
Hi ive setup and configured 'radius/IAS & tested via a client pc successful logon.

I also added a 'VPN' as a way to confirm 'radius/IAS' was configured correctly as per experts advice and the client could still logon successfully, confirming my configurations were correct.

I also prior to setting up the vpn downloaded a program called 'Radl' which tests if 'radius' was configured correctly but it showed an error so i went through my kinstructions and the error dissappeared so i assumed i had configured it correctly.  Then i setup the 'VPN' and the client could logon also.

On the otherside of this question i wanted to know how to practically add the commands below, so if I was to plug my server with the above configurations direct into my fa0/0 port is this where I would then use the commands, so with what i have don already above im not sure how to do the below:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

im assuming i would not configure 'radius/IAS' on the Server as it would be going direct via the router dependant on companies hardware/IOS etc - not sure!!
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35128177
Not quite sure what you are asking :)
0
 

Author Comment

by:mikey250
ID: 35146923
I have never ever used these commands although I have them.  So wanted to know how i connect devices up in its simplest terms and where I add these commands?

This part I add on a router:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

This part I add on a switch:

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto


But what do I configure on the Server?
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35151004
Why are configuring dot1x? Are you trying to setup Windows Network Policy Server or NAP protection?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:mikey250
ID: 35155169
I just wont to know how to make use of it so I know.  As for if is used with Windows Network Policy Server or NAP protection, I wouldn't have a clue.  Once I know then that it is!!!!!!!!!!!!1:)
0
 
LVL 11

Accepted Solution

by:
donmanrobb earned 500 total points
ID: 35157613
Ok then...

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

is conifgured entirely on the switch since it is doing the dot1x not the router.
Additionally you will need to add aaa authentication login default local to ensure you don't lock yourself out of the switch.

All other configuration would be done on the radius server.

0
 

Author Comment

by:mikey250
ID: 35171781
ok!!!!  but if i have already successfully configured just to test I can practically do it ie setup:  win 2003 server, dns, dhcp AND Radius/IAS AND allow a user to logon successfully, then WHY do I NEED to add the following:

"radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius

when Win 2003 Radius & IAS - that does the AAA process is already done?

Im assuming although my previous win 2003, dns & dhcp & sp2 added & Radius/IAS are successful, Im assuming it is because I am now using a 'Switch' that I have to NOW repeat the above?
0
 

Author Comment

by:mikey250
ID: 35171800
ive looked on one of my 'routers' and 'aaa new-model' etc etc as per main thread CAN ALSO use these commands, which presumably means if 'NO SWITCH' is being used and the 'server' is plugged directly into the 'eth/fa0' port then this can be done!!!??

as it is suggested that a router is 'NOT USED', although obviously the following command should be added on a switch, so 'NOT' sure what i am to do with this command below:?

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto
0
 
LVL 11

Assisted Solution

by:donmanrobb
donmanrobb earned 500 total points
ID: 35172773
aaa authentication dot1x default group radius allows the switch to be the 802.1x enforcement point, if the IAS server denies authentication then the switch can take action.

Pretty much any Cisco device supports AAA commands but since your probably not connecting users directly into your router ports you probably don't need dot1x setup on the router at this time.

On the switch the idea is you would add

switchport mode access
dot1x port-control auto

To each user port you want to use 802.1x with, which would basically mean if they are compliant they can access your network but if they are not (like a guest user) they will not be permitted on the network.
0
 

Author Closing Comment

by:mikey250
ID: 35193341
just to bring a bit of clarity to my own comments in relation to the experts just as a reminder to myself if I need to look back!!!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question