Can you use FreeRadius for Cisco catalyst switch port based authentication?
Hello Gordon
Yes, you can use FreeRADIUS for Cisco Catalyst switch port-based authentication. FreeRADIUS supports a wide range of authentication protocols including 802.1X, which is used for port-based Network Access Control (PNAC). If you do try it out, let us know how you get alongâŚ
I hope this has been helpful!
Laz
@ReneMolenaar ,
In my work place we are using vlan 10 for all wired connections including laptops and ip voice handsets. But existing voice handsets are coming to its end of life and below requirements needs to fulfil prior migrating to our new ip phones.
1.assign a dedicated vlan for voice (eg VLAN 20) with new subnets across the estate.
Now all the access ports in switches configured with dot1x, and old phones using Cisco ISE signed certificates .
All the new IP Phones will be using ISE signed certificates as well , hence do we need to change /update cisco ISE dot1x policy to support this new vlan ?
Looking at the dot1x protocol, itâs a layer 2 protocol and as long as we are using ISE signed certificates. it will authenticate the mac address regardless of the vlan or subnet .
existing ports have dot1x with below config
int gixxxx
switchport mode access
switchport access vlan10
New configs will be (Also these ports will have dot1x configs)
int Gigxxxx
switchport mode access
switchport access vlan 10
switchport voice vlan 20
will i need to change dot1x policy in cisco ise to support this ?
Appreciate your advise on this ?
cham
Hello Indika
Based on your description, it seems like you are on the right track. The dot1x authentication is indeed a layer 2 protocol and itâs primarily concerned with the deviceâs MAC address, not the VLAN itâs on. Therefore, you should not need to make changes to your dot1x policy in Cisco ISE when you introduce the new VLAN for your voice devices.
Your new configuration also looks correct. By specifying âswitchport voice vlan 20â, you are telling the switch to use VLAN 20 for all voice traffic, while data traffic continues to use VLAN 10.
I hope this has been helpful!
Laz
@lagapidis
Thanks very much for your reply.
Finally i also would like to clarify the below .
For all the data points , we will be either connecting a laptop or IP Phone on its own (Not connecting the laptop back of the ip phone )
if we are having above set up, we need to have authentication mode multi-auth command syntax isnât it ?
Also some documents mention that we need to set up dynamic vlan so that Cisco ISE will assign the correct vlan depends on voice or data . Is this required ?
please advise
Appreciate your feedbackâŚ
Hello Indika
The authentication mode multi-auth
feature is used when multiple devices authenticate on the same port. This includes situations where you use the voice VLAN feature of the switch, where you connect a PC or laptop to the phoneâs switch port, and the phone in turn connects to the switch.
However, in your situation, where you connect each device (PC/Laptop/Phone) to a single switchport, you donât need that command. For more information about it, take a look at this Cisco documentation:
As for dynamic VLAN assignment, itâs not a requirement but itâs a good practice. This is especially true if you have a large network and you want to automate the process of assigning VLANs based on the type of device. Cisco ISE can indeed assign the correct VLAN depending on whether itâs a voice or data device. This can help you manage your network more efficiently by segregating voice and data traffic, and also by applying different security policies for different types of devices.
I hope this has been helpful!
Laz
@lagapidis
Thanks Laz and appreciate your feedback.