Solved

Cisco Dot1x Monitor Mode

Posted on 2014-03-02
5
1,214 Views
Last Modified: 2014-03-04
Hello All,

Our 802.1X testbed setup is connected to our Active Directory DC and appears to be set up
correctly and working fine.  We are using machine authentication using PEAP .  Supplicants are successfully authenticating when trying to connect to the network.

My question is,  what commands in addition to "Authentication Open" do I need to place on
Cisco 3750X and 3750G switches running IOS version 1502 into "monitor mode"?

Also,  once the port\interface is configured for monitor mode,  will the ACS 5X server generate radius logs if the SUPPLICANT SUCCESSFULLY AUTHENTICATES or does it only
generate a radius log if there are authentication issues?

And finally.  When I issue the "Show dot1x interface xxx",  commnad,  I am not seeing anything in the output when I try to use monitor mode.

Thanks in advance.

ray
0
Comment
Question by:Rayneedssomehelp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39899947
This should be all you need on a switchport to enable monitor mode (assuming you've already configured global 802.1x settings...

 interface range GigabitEthernet1/0/1 - 10
  authentication open
  authentication port-control auto
  dot1x pae authenticator
  mab
  authentication host-mode multi-auth

Open in new window


The RADIUS logs will show successes and failures.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39899950
I 'think' that you don't see anything when you use the 'Show dot1x interface xxx' command because you're only able to see accounting messages, not authentications at the switch.  To see authentications you need to check the RADIUS Authentication logs in the ACS.
0
 

Author Comment

by:Rayneedssomehelp
ID: 39900638
The only commands I had on the interface was Authentication Open and Authentication host-mode multi-auth.

Does not the "Show dot1x interface xxx" command tell you if the port is enabled for the
Dot1X protocol?  Which of the commands  aformentioned will actually enable 802.1x  on
a switch interface assuming that global configs are already correct?

Ray
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39900753
show authentication session interface gi1/0/1 will show you if authentication is working on the port.

If it is you'll see something like this...

sh authent sess int g1/0/1
            Interface:  GigabitEthernet1/0/1
          MAC Address:  0040.9668.9896
           IP Address:  Unknown
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  10
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0000000000000AAAAAAAAAAA
      Acct Session ID:  0x00000CCB
               Handle:  0x2E000FF0
0
 

Author Comment

by:Rayneedssomehelp
ID: 39901130
CRAIGBECK,

Thanks for clearing this up!  I think I was confused by the fact that apparently there are 2 different syntaxes for configuring Cisco switch interfaces for 802.1x...It depends on the IOS.
.
One starts with "Authentication" and the other starts off with "dot1x" in the syntax

I got confused because I did not know which ones to use.  I just configured as many commands as I could on the port until I got it to work and allow authentication.

Thanks again!

Ray
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Palo Alto Networks Global Protect 2 177
IT usage Policies for a new staff joining the organisation. 4 124
Network Security Solution 7 74
SOC, SIEM, IPS and FW 4 64
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question