Hey Rene, you wrote “In a production network you might already have a certificate authority within your network. I don’t care about certificates for this demonstration but we’ll generate them anyway in case you want to play with them sometime in the future.”
How do I use the digital certificates I generated, and not only username and password?
Thanks.
Hi Elia,
It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:
The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.
EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client certificate for each user or device). I don’t have an example for AAA on a switch but I do have something for Wireless. Take a look at these examples:
I manually imported the client certificate on those devices, that’s great for a lab but a pain for production networks. There are solutions that allow you to generate and auto-enroll client certificates automatically.
Rene
Is there a serial for Elektron RADIUS software we can use?
Hello Mitchel
According to the following download site, Elektron RADIUS software is free to try for 30 days, so if you want to experiment with it, you can do so for several weeks.
I hope this has been helpful!
Laz
Thanks Laz,
After installing and setting it up, it ask for a 30-day serial key and the site to generate one is out of business from the looks of it…
Hello Mitchell
Ah, I see. Not sure what’s happening with that. However, there is the option of Free Radius for Windows, which is FreeRADIUS software complied for the Windows OS. I haven’t personally tried it, but if you’re willing to work out the installation procedures, it may be worth a try.
http://www.freeradius.net/index.html
I hope this has been helpful!
Laz
For your example you are using VLAN 1, for other VLAN e.g. VLAN 10 do I just include:
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config)#dot1x system-auth-control
SW1(config)#interface fa0/1
SW1(config-if)#dot1x port-control autoHello Kenneth
The IP address configured on the VLAN1 interface of the switch is actually just used to communicate with the RADIUS server. It has no impact on what VLAN is configured on the port itself. You can make the switch have network connectivity with the RADIUS server via the VLAN10 SVI or the VLAN100 SVI, it doesn’t matter. As long as the switch, via any SVI, has network connectivity to the RADIUS server, the operation will function.
Once connectivity is achieved, you can then assign any VLAN to any interface you like, the system auth control will still work.
I hope this has been helpful!
Laz
Hi lagapides,
I am referring to the configuration for interface that is connected to endpoints. For this case it is interface fa0/1, If I need VLAN 10 to be dynamically assign to port fa0/1 is there any additional configuration needed?
Also for the same interface fa0/1, can it be done for different computers when connected to the same interface (fa0/1), one computer get assigned VLAN 10 while the second computer get assigned VLAN20?
Hello Kenneth
The AAA configuration of an interface using 802.1X does have a feature that allows the RADIUS server to send VLAN assignment information to the port in question. This feature is enabled by default and does not require any additional configuration from the point of view of the switch port itself. A switch port will keep the VLAN assignment that is found in its configuration unless an authorized VLAN is specified in the RADIUS server database.
Specific platforms and IOS versions support this feature. You can find out more about it here:
I hope this has been helpful!
Laz
Hello,
Is there an updated version of a radius server I could use so that I may follow this lab?
Regards
-Gaby
Hello Gaby
There are various options for a RADIUS server. Elektron is one of the simplest to install and use, and that is why it is depicted here. However, you can use ClearBox, TekRADIUS as well. Or if you are more experienced, you can always attempt to use FreeRadius. In any case, keep in mind that some are free, and some offer a free trial, or a free version. In any case, you can try them out to see which one fits your needs best.
I hope this has been helpful!
Laz
Hello Lagapides,
I looked for Elektron and (I may be wrong) but in the documentation it shows it only runs on Windows XP? I was trying to use the easiest install in order to follow the lab because I have never set this up myself.
Thanks
Gaby
Hi Martha
I’m not a systems guy, so I couldn’t tell you of the easiest setup/install for your operating system. However, I am under the impression that the program will run easily under windows.
< pause >
I just downloaded it and successfully installed it on my Windows 10 machine. I haven’t checked to see its actual operation, but the installation was successful.
I believe you shouldn’t have any problems, but if you try it let us know!
I hope this has been helpful!
Laz
I was unable to install electron as the free 30 day evaluation serial number that is referenced on the installation process is not available.
Lagapides,
Would you please share where you downloaded the Elektron server you tested?
thanks
MGO
Hello Martha
Hmm, that’s strange, I think my install procedure was different. I didn’t have to input a serial number. Could it be that it’s a different version or a different publisher? I downloaded it from here:
Try it from there and let us know.
Laz
Hello Lazaros,
Could you please explain wait-start option in the command below with an example?
Switch(config)# aaa accounting { system | exec | commands level }
{ default | list-name } { start-stop | stop-only | wait-start | none }
method1 [ method2 …]
Thanks
Fatih
Hello Fatih
According to Cisco:
The wait-start command sends both a start and a stop accounting notice to the accounting server. However, the requested user service does not begin until the start accounting notice is acknowledged. Practically, this means that the user cannot execute a CLI command or login until the user is on record. A stop accounting notice is also sent but does not need acknowledgement.
Taken from this Cisco documentation.
I hope this has been helpful!
Laz
Hello Lazaros,
I am getting prompted for a trial serial number. Where do I get it? This is for the Elektron install.
Thanks
