This topic is to discuss the following lesson:
Hi,
Is it possible to dot1x authentication using freeradius ?
Thanks
Hello Sims
Dot1x port-based authentication by definition uses an authentication server such as RADIUS. FreeRADIUS is such a server as well, so yes, it can be used for authentication of dot1x. Take a look at the following link from FreeRADIUS. It refers to the use of 802.1x for WiFi but the concept is the same.
https://wiki.freeradius.org/guide/Enterprise-WiFi#ieee-802-1x-and-radius-authentication
I hope this has been helpful!
Laz
Hi,
I’m trying to dynamically assign vlan with freeradius and it’s not working. Do you guys have some tutorial to help with this?
Thanks
Hello Hilton
There’s currently no lab that includes the assignment of a VLAN using a RADIUS server. The closest thing is the following lab which uses a RADIUS server for 802.3X authentication.
However, you can find information about such a configuration at the following Cisco documentation.
I hope this has been helpful!
Laz
I was wondering if there is a how-to on deploying 802.1x Wired using certificates? I’ve been searching and looking for hours but just can’t get it to work. The MAB how-to is great and got my environment up and running very quickly. But now we also want 802.1x for Wired installations.
RADIUS Server: CentOS7 with FreeRadius;
Client: Windows 10 Pro
Switch: Catalyst 9300
- Configured the switch as a client and FreeRadius as the radius server, for MAB based authentication is works flawlessly no problems there;
But how can I get 802.1x working using certificates only? (no username/password should be needed), I basically want to plug in my workstations and Windows should try to authenticate using certifications. None of the official documentation helps and I’m lost on which settings to enable, which encryption/authentication method to use, what certs to import where etc.
Hello Burak
The following lesson describes how you can configure 802.1x for wired connections on a Cisco switch using a RADIUS server and certificates.
Take a look and if you have any further questions, let us know!
I hope this has been helpful!
Laz
Hi,
What is Radius Change of Authorization
Thanks
Hello Sims
RADIUS Change of Authorization is, according to Cisco, is a feature that:
…provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy.
You can find out more information about it at the following Cisco documentation:
I hope this has been helpful!
Laz
Multi-host mode: the switch allows multiple source MAC addresses. Only the first source MAC address is authenticated, all other source MAC addresses are automatically permitted.
Is it secure use this ?
Have we to use the other switch’s mac address as the permitted mac address?
Hello Vanilson
You are correct, this is not a very secure option. The best thing to do is to if you have multiple source MAC addresses is to use multi-authentication host mode where each source MAC is separately authenticated.
I’m not sure I can think of a situation where multi-host mode is useful. I’m sure it was created to accommodate some specific scenario, but I can’t think of what that could be. Even Cisco documentation recommends that you don’t use this mode, and use multi-authentication host mode instead.
I hope this has been helpful!
Laz
Hi
What is the difference between port security and MAB.
When you use port security on a switch you can learn Mac address.
Thanks for you answer
regards
Arlette
Hello Veronese
Port security is a feature that can allow or disallow traffic on a specific port. This is based on the source MAC address of the frames coming into the port. Port security causes the port to react in specific ways depending upon the situation, such as shutting down the interface completely, or by simply logging a frame that has a non authorized MAC address. All of the configuration takes place on the port itself.
MAB is a feature that has more options than port security in the fact that it can connect to an eternal (such as RADIUS) to determine if a MAC address is permitted or not. This allows centralized management for multiple ports on multiple devices. MAB is a much more scalable solution that provides many more options.
Alternatively, 802.1X is also scalable and can be managed centrally, but requires that the hosts connecting support the standard.
I hope this has been helpful!
Laz
Hello
I have a problem with this configuration. I installed freeradius server, everything works. I Tested with command radtest d03745237500 d03745237500 192.168.199.2 0 test123 from another Linux host and everything ok. However switch 2960 doesn’t want to work. Server and switch configuration below:
Freeradius
clients.conf
client CISCO {
ipaddr = 0.0.0.0/0
secret = test123
}
USERS
d03745237500 Cleartext-Password := "d03745237500"
Switch 2960
!
version 15.0
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname testrad
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa authentication dot1x default group radius
!
aaa session-id common
system mtu routing 1500
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/8
switchport mode access
authentication port-control auto
mab
!
interface Vlan1
ip address 192.168.199.3 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.199.1
ip http server
ip http secure-server
!
radius server FREERADIUS
address ipv4 192.168.199.2 auth-port 1812 acct-port 1813
key test123
!
end
When I connect the host I get the message:
*Mar 1 00:36:46.782: %AUTHMGR-5-START: Starting 'mab' for client (d037.4523.7500) on Interface Fa0/8 AuditSessionID C0A8C703000000230021AC14
*Mar 1 00:36:46.782: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.199.2:1812,1813 is not responding.
*Mar 1 00:36:46.782: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.199.2:1812,1813 is being marked alive.
*Mar 1 00:36:46.782: %MAB-5-FAIL: Authentication failed for client (d037.4523.7500) on Interface Fa0/8 AuditSessionID C0A8C703000000230021AC14
*Mar 1 00:36:46.782: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (d037.4523.7500) on Interface Fa0/8 AuditSessionID C0A8C703000000230021AC14
*Mar 1 00:36:46.782: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (d037.4523.7500) on Interface Fa0/8 AuditSessionID C0A8C703000000230021AC14
*Mar 1 00:36:48.737: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
*Mar 1 00:36:49.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
I can ping freeradius from switch.
What am I doing wrong?
Hello Mario
There are a couple of things that come to mind when we see something like this. First of all, it’s strange that there is a RADIUS_DEAD message that’s immediately followed by a RADIUS_ALIVE message. This is usually caused by one of two things.
The first is an incorrect auth_port and/or acct-port. This post in the Cisco community forum describes this problem further. Make sure you’re using the correct ports on the Switch as well as on the server.
The other possibility is that it has to do with the RADIUS response timing. If you have the requests reaching the RADIUS server too quickly, it may not have time to respond, and it is momentarily considered dead, resulting in a failed authentication attempt. You must either enable concurrency in the RADIUS server in this case, or you must adjust the Acct-Delay-Time parameter to have a low value. More info on this can be found at the following link:
http://lists.freeradius.org/pipermail/freeradius-users/2009-April/037417.html
Strictly speaking, this shouldn’t happen since you’ve configured the lab in the same way as the lesson. However, it could be some default configuration on the FreeRADIUS server that is causing the problem. Hopefully, some of the info in this post will further help you in your troubleshooting.
I hope this has been helpful!
Laz
Hello Lazaros,
Thank you for your response. The problem was the firewall on the server Freeradius. Now i have a problem with multi-auth.
Hi,
I configured freeradius and switch with this instruction and I have a problem with enabling multi-auth authorization. When i configure interface i have only 2 mode multi:
s1(config)#interface fastEthernet0/24
s1(config-if)#authentication host-mode multi-auth
** ^**
% Invalid input detected at ‘^’ marker.
rad2(config-if)#authentication host-mode multi-?
multi-domain multi-host
Why i have only 2 multi mode available?
multi-domain multi-host
cisco 2960-24tc-s firmware c2960-lanlitek9-mz.150-2
Hello Mario
According to this Cisco Documentation for your IOS version and platform, it says this about multi-auth:
To use this feature, the switch must be running the LAN Base image. Multi-auth host mode is not supported in LAN Lite image.
I hope this has been helpful!
Laz