Can you use FreeRadius for Cisco catalyst switch port based authentication?
Hello Gordon
Yes, you can use FreeRADIUS for Cisco Catalyst switch port-based authentication. FreeRADIUS supports a wide range of authentication protocols including 802.1X, which is used for port-based Network Access Control (PNAC). If you do try it out, let us know how you get alongā¦
I hope this has been helpful!
Laz
@ReneMolenaar ,
In my work place we are using vlan 10 for all wired connections including laptops and ip voice handsets. But existing voice handsets are coming to its end of life and below requirements needs to fulfil prior migrating to our new ip phones.
1.assign a dedicated vlan for voice (eg VLAN 20) with new subnets across the estate.
Now all the access ports in switches configured with dot1x, and old phones using Cisco ISE signed certificates .
All the new IP Phones will be using ISE signed certificates as well , hence do we need to change /update cisco ISE dot1x policy to support this new vlan ?
Looking at the dot1x protocol, itās a layer 2 protocol and as long as we are using ISE signed certificates. it will authenticate the mac address regardless of the vlan or subnet .
existing ports have dot1x with below config
int gixxxx
switchport mode access
switchport access vlan10
New configs will be (Also these ports will have dot1x configs)
int Gigxxxx
switchport mode access
switchport access vlan 10
switchport voice vlan 20
will i need to change dot1x policy in cisco ise to support this ?
Appreciate your advise on this ?
cham
Hello Indika
Based on your description, it seems like you are on the right track. The dot1x authentication is indeed a layer 2 protocol and itās primarily concerned with the deviceās MAC address, not the VLAN itās on. Therefore, you should not need to make changes to your dot1x policy in Cisco ISE when you introduce the new VLAN for your voice devices.
Your new configuration also looks correct. By specifying āswitchport voice vlan 20ā, you are telling the switch to use VLAN 20 for all voice traffic, while data traffic continues to use VLAN 10.
I hope this has been helpful!
Laz
@lagapidis
Thanks very much for your reply.
Finally i also would like to clarify the below .
For all the data points , we will be either connecting a laptop or IP Phone on its own (Not connecting the laptop back of the ip phone )
if we are having above set up, we need to have authentication mode multi-auth command syntax isnāt it ?
Also some documents mention that we need to set up dynamic vlan so that Cisco ISE will assign the correct vlan depends on voice or data . Is this required ?
please advise
Appreciate your feedbackā¦
Hello Indika
The authentication mode multi-auth feature is used when multiple devices authenticate on the same port. This includes situations where you use the voice VLAN feature of the switch, where you connect a PC or laptop to the phoneās switch port, and the phone in turn connects to the switch.
However, in your situation, where you connect each device (PC/Laptop/Phone) to a single switchport, you donāt need that command. For more information about it, take a look at this Cisco documentation:
As for dynamic VLAN assignment, itās not a requirement but itās a good practice. This is especially true if you have a large network and you want to automate the process of assigning VLANs based on the type of device. Cisco ISE can indeed assign the correct VLAN depending on whether itās a voice or data device. This can help you manage your network more efficiently by segregating voice and data traffic, and also by applying different security policies for different types of devices.
I hope this has been helpful!
Laz
@lagapidis
Thanks Laz and appreciate your feedback.
1 Like
Do you have Configuration doc and packet captures to understand the dot1x fall over to mab.
So basically we have dot1x configured in every access ports and if dot1x fails, it will failover to mabā¦ What i want to understand is what triggers the failover and do we have timers that require to time out in order to failover ?
Please advise
Hello Indika
The failover is triggered by an 802.1X timeout. The 802.1X timeout follows the rules according to this CIsco document which includes a detailed flowchart of the fallback mechanisms:
Similarly, you can check out this document about MAB and the way in which it functions in the event of an 802.1X timeout.
The timeout period and retry attempts of 802.1X are governed by the following two commands:
dot1x timeout tx-perioddot1x max-reauth-req
You can find out more about their default values and under what circumstances the 802.1X authentication times out at the following section of the Cisco documentation:
I hope this has been helpful!
Laz
Thanks @lagapidis for your feedback.
1 Like