Solved

HOW TO ENABLE ROUTER COMMANDS FOR RADIUS

Posted on 2011-03-10
9
523 Views
Last Modified: 2012-06-21
Hi ive setup and configured 'radius/IAS & tested via a client pc successful logon.

I also added a 'VPN' as a way to confirm 'radius/IAS' was configured correctly as per experts advice and the client could still logon successfully, confirming my configurations were correct.

I also prior to setting up the vpn downloaded a program called 'Radl' which tests if 'radius' was configured correctly but it showed an error so i went through my kinstructions and the error dissappeared so i assumed i had configured it correctly.  Then i setup the 'VPN' and the client could logon also.

On the otherside of this question i wanted to know how to practically add the commands below, so if I was to plug my server with the above configurations direct into my fa0/0 port is this where I would then use the commands, so with what i have don already above im not sure how to do the below:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

im assuming i would not configure 'radius/IAS' on the Server as it would be going direct via the router dependant on companies hardware/IOS etc - not sure!!
0
Comment
Question by:mikey250
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35128177
Not quite sure what you are asking :)
0
 

Author Comment

by:mikey250
ID: 35146923
I have never ever used these commands although I have them.  So wanted to know how i connect devices up in its simplest terms and where I add these commands?

This part I add on a router:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

This part I add on a switch:

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto


But what do I configure on the Server?
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35151004
Why are configuring dot1x? Are you trying to setup Windows Network Policy Server or NAP protection?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:mikey250
ID: 35155169
I just wont to know how to make use of it so I know.  As for if is used with Windows Network Policy Server or NAP protection, I wouldn't have a clue.  Once I know then that it is!!!!!!!!!!!!1:)
0
 
LVL 11

Accepted Solution

by:
donmanrobb earned 500 total points
ID: 35157613
Ok then...

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

is conifgured entirely on the switch since it is doing the dot1x not the router.
Additionally you will need to add aaa authentication login default local to ensure you don't lock yourself out of the switch.

All other configuration would be done on the radius server.

0
 

Author Comment

by:mikey250
ID: 35171781
ok!!!!  but if i have already successfully configured just to test I can practically do it ie setup:  win 2003 server, dns, dhcp AND Radius/IAS AND allow a user to logon successfully, then WHY do I NEED to add the following:

"radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius

when Win 2003 Radius & IAS - that does the AAA process is already done?

Im assuming although my previous win 2003, dns & dhcp & sp2 added & Radius/IAS are successful, Im assuming it is because I am now using a 'Switch' that I have to NOW repeat the above?
0
 

Author Comment

by:mikey250
ID: 35171800
ive looked on one of my 'routers' and 'aaa new-model' etc etc as per main thread CAN ALSO use these commands, which presumably means if 'NO SWITCH' is being used and the 'server' is plugged directly into the 'eth/fa0' port then this can be done!!!??

as it is suggested that a router is 'NOT USED', although obviously the following command should be added on a switch, so 'NOT' sure what i am to do with this command below:?

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto
0
 
LVL 11

Assisted Solution

by:donmanrobb
donmanrobb earned 500 total points
ID: 35172773
aaa authentication dot1x default group radius allows the switch to be the 802.1x enforcement point, if the IAS server denies authentication then the switch can take action.

Pretty much any Cisco device supports AAA commands but since your probably not connecting users directly into your router ports you probably don't need dot1x setup on the router at this time.

On the switch the idea is you would add

switchport mode access
dot1x port-control auto

To each user port you want to use 802.1x with, which would basically mean if they are compliant they can access your network but if they are not (like a guest user) they will not be permitted on the network.
0
 

Author Closing Comment

by:mikey250
ID: 35193341
just to bring a bit of clarity to my own comments in relation to the experts just as a reminder to myself if I need to look back!!!
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question