AAA Configuration on Cisco Switch

Can you use FreeRadius for Cisco catalyst switch port based authentication?

Hello Gordon

Yes, you can use FreeRADIUS for Cisco Catalyst switch port-based authentication. FreeRADIUS supports a wide range of authentication protocols including 802.1X, which is used for port-based Network Access Control (PNAC). If you do try it out, let us know how you get along…

I hope this has been helpful!

Laz

@ReneMolenaar ,
In my work place we are using vlan 10 for all wired connections including laptops and ip voice handsets. But existing voice handsets are coming to its end of life and below requirements needs to fulfil prior migrating to our new ip phones.
1.assign a dedicated vlan for voice (eg VLAN 20) with new subnets across the estate.
Now all the access ports in switches configured with dot1x, and old phones using Cisco ISE signed certificates .
All the new IP Phones will be using ISE signed certificates as well , hence do we need to change /update cisco ISE dot1x policy to support this new vlan ?
Looking at the dot1x protocol, it’s a layer 2 protocol and as long as we are using ISE signed certificates. it will authenticate the mac address regardless of the vlan or subnet .
existing ports have dot1x with below config

int gixxxx
switchport mode access
switchport access vlan10

New configs will be (Also these ports will have dot1x configs)

int Gigxxxx
switchport mode access
switchport access vlan 10
switchport voice vlan 20

will i need to change dot1x policy in cisco ise to support this ?
Appreciate your advise on this ?

cham

Hello Indika

Based on your description, it seems like you are on the right track. The dot1x authentication is indeed a layer 2 protocol and it’s primarily concerned with the device’s MAC address, not the VLAN it’s on. Therefore, you should not need to make changes to your dot1x policy in Cisco ISE when you introduce the new VLAN for your voice devices.

Your new configuration also looks correct. By specifying ‘switchport voice vlan 20’, you are telling the switch to use VLAN 20 for all voice traffic, while data traffic continues to use VLAN 10.

I hope this has been helpful!

Laz

@lagapidis
Thanks very much for your reply.
Finally i also would like to clarify the below .
For all the data points , we will be either connecting a laptop or IP Phone on its own (Not connecting the laptop back of the ip phone )

if we are having above set up, we need to have authentication mode multi-auth command syntax isn’t it ?
Also some documents mention that we need to set up dynamic vlan so that Cisco ISE will assign the correct vlan depends on voice or data . Is this required ?

please advise

Appreciate your feedback…

Hello Indika

The authentication mode multi-auth feature is used when multiple devices authenticate on the same port. This includes situations where you use the voice VLAN feature of the switch, where you connect a PC or laptop to the phone’s switch port, and the phone in turn connects to the switch.

However, in your situation, where you connect each device (PC/Laptop/Phone) to a single switchport, you don’t need that command. For more information about it, take a look at this Cisco documentation:

As for dynamic VLAN assignment, it’s not a requirement but it’s a good practice. This is especially true if you have a large network and you want to automate the process of assigning VLANs based on the type of device. Cisco ISE can indeed assign the correct VLAN depending on whether it’s a voice or data device. This can help you manage your network more efficiently by segregating voice and data traffic, and also by applying different security policies for different types of devices.

I hope this has been helpful!

Laz

@lagapidis
Thanks Laz and appreciate your feedback.

1 Like