Configuring 802.1x authentication on Cisco Catalyst switches

This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed.

Configuring the Switch

Switch# configure terminal
Switch(config)# aaa new-model
Switch1(config)# radius-server host key cisco123
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end 

Configuring the RADIUS Server

  • Open the “Network Policy Server” MMC console
  • Click “Policies” > “Network Policies”
  • Create a new “Network Policy” with a descriptive name e.g. “dot1x Authentication Policy”. Click Next
  • “Specify Condition”, click Add and select the “Machine Groups” option, add the “Domain Computers” group. Click Next
  • “Access Granted”, ensure “Access granted” is select. Click Next
  • “Constraints”, select “Authentication Methods”. For “EAP Types” click Add and select “Microsoft: Protected EAP (PEAP). Click Next

  • “Configure Constraints”, nothing to configure. Click Next
  • “Configure Settings”, under “RADIUS Attributes” > “Standard” remove “Framed-Protocol” and “Service-Type”. Click Next
  • Click Finish

Configuring a Group Policy to configure the client computers for authentication

A computer that is on a domain can have the necessary settings configured via Group Policy.

  • Open the Group Policy Management Console
  • Create a new GPO and assign to the relevant OU that contains the computers
  • Edit the properties of the new GPO and browse to Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  • Click “Wired AutoConfig” and select the tick box to “Define the policy setting”, select “Automatic”. Click OK
  • Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies
  • Create a new wired network policy called “Wired Network Policy”
  • Click “Security”
  • Ensure “Enable use of IEEE 802.1x authentication for network access” tick box is selected
  • Ensure the authentication method is “Microsoft: Protected EAP (PEAP)”
  • Ensure the authentication mode is “User or Computer authentication”
  • Click Advanced and check the two tick boxes

  • Run gpupdate /force on the client computer, ensure the GPO is taking affect by double checking the “Authentication” tab in the Local Area Connection properties. It should state “These settings are managed by your system administrator”

Plug the computer into a port with 802.1x enabled, within a few seconds the computer would hopefully be authenticated by the RADIUS server. To confirm this check the server’s Event Viewer > Custom Views > Server Roles > Network Policy and Access Services. A successful authentication would be logged as Event ID 6278.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.