The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.… Continue reading Configuring Wired 802.1x/MAB Authentication with Cisco ISE
Introduction The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs. The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72 Configure VLANs Create VLANs, define IP address and IP helper-address VLAN… Continue reading Configuring Dynamic VLAN assignment on ProCurve switches
802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server. Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily… Continue reading Configuring 802.1x authentication on ProCurve Switches
This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed. Configuring the Switch Switch# configure terminal Switch(config)# aaa new-model Switch1(config)# radius-server host 192.168.20.20 key cisco123 Switch(config)# aaa authentication dot1x default… Continue reading Configuring 802.1x authentication on Cisco Catalyst switches
This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.
Configuring the Switch
The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS
Configuring the Windows RADIUS Server
Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.
- Open the NPS console and select “RADIUS Clients”
- Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
- Once completed click OK
- Select “Policies” > “Network Policies”
- Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
- Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
- “Specify Access Permission” as “Granted”
- “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
- “Configure Contraints”, nothing to configure. Click Next
- “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
- Add a new attribute of “Service Type” and a value of “Login”
- “Configure Settings”, select “Vendor Specific”
- Click “Add”, select “Cisco” from the drop down box
- Click “Add” and click “Add” again