[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

HOW TO ENABLE ROUTER COMMANDS FOR RADIUS

Hi ive setup and configured 'radius/IAS & tested via a client pc successful logon.

I also added a 'VPN' as a way to confirm 'radius/IAS' was configured correctly as per experts advice and the client could still logon successfully, confirming my configurations were correct.

I also prior to setting up the vpn downloaded a program called 'Radl' which tests if 'radius' was configured correctly but it showed an error so i went through my kinstructions and the error dissappeared so i assumed i had configured it correctly.  Then i setup the 'VPN' and the client could logon also.

On the otherside of this question i wanted to know how to practically add the commands below, so if I was to plug my server with the above configurations direct into my fa0/0 port is this where I would then use the commands, so with what i have don already above im not sure how to do the below:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

im assuming i would not configure 'radius/IAS' on the Server as it would be going direct via the router dependant on companies hardware/IOS etc - not sure!!
0
mikey250
Asked:
mikey250
  • 5
  • 4
2 Solutions
 
donmanrobbCommented:
Not quite sure what you are asking :)
0
 
mikey250Author Commented:
I have never ever used these commands although I have them.  So wanted to know how i connect devices up in its simplest terms and where I add these commands?

This part I add on a router:

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

This part I add on a switch:

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto


But what do I configure on the Server?
0
 
donmanrobbCommented:
Why are configuring dot1x? Are you trying to setup Windows Network Policy Server or NAP protection?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikey250Author Commented:
I just wont to know how to make use of it so I know.  As for if is used with Windows Network Policy Server or NAP protection, I wouldn't have a clue.  Once I know then that it is!!!!!!!!!!!!1:)
0
 
donmanrobbCommented:
Ok then...

aaa new-model
radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius
dot1x control-system-auth

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto

is conifgured entirely on the switch since it is doing the dot1x not the router.
Additionally you will need to add aaa authentication login default local to ensure you don't lock yourself out of the switch.

All other configuration would be done on the radius server.

0
 
mikey250Author Commented:
ok!!!!  but if i have already successfully configured just to test I can practically do it ie setup:  win 2003 server, dns, dhcp AND Radius/IAS AND allow a user to logon successfully, then WHY do I NEED to add the following:

"radius-server x.x.x.x key xxx123
aaa authentication dot1x default group radius

when Win 2003 Radius & IAS - that does the AAA process is already done?

Im assuming although my previous win 2003, dns & dhcp & sp2 added & Radius/IAS are successful, Im assuming it is because I am now using a 'Switch' that I have to NOW repeat the above?
0
 
mikey250Author Commented:
ive looked on one of my 'routers' and 'aaa new-model' etc etc as per main thread CAN ALSO use these commands, which presumably means if 'NO SWITCH' is being used and the 'server' is plugged directly into the 'eth/fa0' port then this can be done!!!??

as it is suggested that a router is 'NOT USED', although obviously the following command should be added on a switch, so 'NOT' sure what i am to do with this command below:?

int fa0/1
switchport mode access
spanning-tree portfast
dot1x port-control auto
0
 
donmanrobbCommented:
aaa authentication dot1x default group radius allows the switch to be the 802.1x enforcement point, if the IAS server denies authentication then the switch can take action.

Pretty much any Cisco device supports AAA commands but since your probably not connecting users directly into your router ports you probably don't need dot1x setup on the router at this time.

On the switch the idea is you would add

switchport mode access
dot1x port-control auto

To each user port you want to use 802.1x with, which would basically mean if they are compliant they can access your network but if they are not (like a guest user) they will not be permitted on the network.
0
 
mikey250Author Commented:
just to bring a bit of clarity to my own comments in relation to the experts just as a reminder to myself if I need to look back!!!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now