Hi,
I’m working on setting up my switch to use 802.1x for user authentication on the switch along with port authentication for the end user/endpoints. I’m running 15.2(4) on my 2960x stack. I’ve gotten the switch user auth working but I’m struggling with the dynamic vlan port assignment. Logging says its trying to use Vlan 1 which is confusing me since in my radius server (Windows Server NPS) I’ve specified VLAN 23. Here is what I’ve configured thus far:
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/1
description IT User Port
switchport mode access
access-session host-mode multi-host
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast edge
!
radius server DC1
address ipv4 10.0.3.35 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxx
!
radius server DC2
address ipv4 10.0.3.30 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxx
!
Then on my radius server I have the my switch added as a Radius Client.
I have have 2 network policies, one for Switch authentication per a security group giving level 15 access and a port auth group using the following settings, (edit: i cant add more than one image):
Conditions:
Windows group w/ NAS Port Type Ethernet
Constraints:
Microsoft: Protected EAP (PEAP) with the top 4 Less secure authentication methods checked
Settings:
Tunnel-Medium-Type - 802(includes all 802 media plus Ethernet canonical…)
Tunnel-Pvt-Group-ID - 23
Tunnel-Type - Virtual LANs (VLAN)
One last struggle is all the different ways to configure the port g1/0/1. With 15.2(4) there is allot of commands depreciated. For example Authentication is repalced with access-session. But not everything matches.
Anyways, any thoughts and feed back is appreciated.
Thanks,
Jon