Solved

Cisco Dot1x Monitor Mode

Posted on 2014-03-02
5
1,129 Views
Last Modified: 2014-03-04
Hello All,

Our 802.1X testbed setup is connected to our Active Directory DC and appears to be set up
correctly and working fine.  We are using machine authentication using PEAP .  Supplicants are successfully authenticating when trying to connect to the network.

My question is,  what commands in addition to "Authentication Open" do I need to place on
Cisco 3750X and 3750G switches running IOS version 1502 into "monitor mode"?

Also,  once the port\interface is configured for monitor mode,  will the ACS 5X server generate radius logs if the SUPPLICANT SUCCESSFULLY AUTHENTICATES or does it only
generate a radius log if there are authentication issues?

And finally.  When I issue the "Show dot1x interface xxx",  commnad,  I am not seeing anything in the output when I try to use monitor mode.

Thanks in advance.

ray
0
Comment
Question by:Rayneedssomehelp
  • 3
  • 2
5 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39899947
This should be all you need on a switchport to enable monitor mode (assuming you've already configured global 802.1x settings...

 interface range GigabitEthernet1/0/1 - 10
  authentication open
  authentication port-control auto
  dot1x pae authenticator
  mab
  authentication host-mode multi-auth

Open in new window


The RADIUS logs will show successes and failures.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39899950
I 'think' that you don't see anything when you use the 'Show dot1x interface xxx' command because you're only able to see accounting messages, not authentications at the switch.  To see authentications you need to check the RADIUS Authentication logs in the ACS.
0
 

Author Comment

by:Rayneedssomehelp
ID: 39900638
The only commands I had on the interface was Authentication Open and Authentication host-mode multi-auth.

Does not the "Show dot1x interface xxx" command tell you if the port is enabled for the
Dot1X protocol?  Which of the commands  aformentioned will actually enable 802.1x  on
a switch interface assuming that global configs are already correct?

Ray
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39900753
show authentication session interface gi1/0/1 will show you if authentication is working on the port.

If it is you'll see something like this...

sh authent sess int g1/0/1
            Interface:  GigabitEthernet1/0/1
          MAC Address:  0040.9668.9896
           IP Address:  Unknown
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  10
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0000000000000AAAAAAAAAAA
      Acct Session ID:  0x00000CCB
               Handle:  0x2E000FF0
0
 

Author Comment

by:Rayneedssomehelp
ID: 39901130
CRAIGBECK,

Thanks for clearing this up!  I think I was confused by the fact that apparently there are 2 different syntaxes for configuring Cisco switch interfaces for 802.1x...It depends on the IOS.
.
One starts with "Authentication" and the other starts off with "dot1x" in the syntax

I got confused because I did not know which ones to use.  I just configured as many commands as I could on the port until I got it to work and allow authentication.

Thanks again!

Ray
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question