Lab 11
Catalyst Switch 802.1x Authentication
Lab Objective:
The objective of this lab exercise is for you to learn and understand how enable 802.1x authentication on Cisco IOS Catalyst switches.
Lab Purpose:
802.1x is used to provide Catalyst switch access port security by authenticating users before allowing them to pass traffic through ports on Cisco IOS Catalyst switches.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use any single switch to complete this lab:
| NOTE:
This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example.
In addition to this, the RADIUS server is not required. It is depicted here for the purposes of being thorough! RADIUS server configuration is beyond the scope of this course. |
Lab 11 Configuration Tasks
Task 1:
Configure the hostname on Sw1 as illustrated in the diagram. In addition to this, configure the following VLANs on Sw1:
| VLAN Number | VLAN Name | VLAN Ports |
| 2020 | 802-1X-VLAN | FastEthernet0/1 – FastEthernet0/24 |
In addition to this, configure interface VLAN 2020 on Sw1 and assign the interface and IP address of 192.168.1.1/24. Verify your configuration.
Task 2:
Configure user catalyst with a password of security on Sw1. This user should have Level 15 access privileges on the switch. Configure a secret password on Sw1 of security.
Task 3:
Configure Authentication on Sw1 so that all users are authenticated against the local database. In addition to this, enable access should use the enable secret for authentication.
Task 4:
Configure 802.1x authentication on ports FastEthernet0/1 – 24 on Sw1. 802.1x authentication will be performed by a RADUIS server with the IP address 192.168.1.254. This RADIUS server should use the password dot1x for authentication. Verify your configuration.
Lab 11 Configuration and Verification
Task 1:
To complete this Task, you will need to enable VTP Transparent mode so that you can configure extended range VLANs on the switch.
| Switch(config)#hostname Sw1
Sw1(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Sw1(config)#vlan 2020 Sw1(config-vlan)#name 802-1X-VLAN Sw1(config-vlan)#exit Sw1(config)#interface range fastethernet0/1 – 24 Sw1(config-if-range)#switchport mode access Sw1(config-if-range)#switchport access vlan 2020 Sw1(config-if-range)#no shutdown Sw1(config-if-range)#exit Sw1(config)#interface vlan 1 Sw1(config-if)#shutdown Sw1(config-if)#exit Sw1(config)#interface vlan 2020 Sw1(config-if)#no shutdown Sw1(config-if)#ip address 192.168.1.1 255.255.255.0 Sw1(config-if)#exit Sw1(config)#exit Sw1# Sw1# Sw1#show vlan brief
VLAN Name Status Ports —- ——————————– ——— ——————————- 1 default active Gi0/1, Gi0/2 1002 fddi-default active 1003 trcrf-default active 1004 fddinet-default active 1005 trbrf-default active 2020 802-1X-VLAN active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Sw1# Sw1#show interface vlan 2020 Vlan2020 is up, line protocol is up Hardware is CPU Interface, address is 000d.bd06.4100 (bia 000d.bd06.4100) Internet address is 192.168.1.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set —-[Truncated Output]—-
NOTE: Keep in mind that if you have no active ports in VLAN2020 that are up, interface VLAN2020 will show a down/down status. This is normal behavior. |
Task 2:
To successfully complete this Task, keep in mind that switches have 16 VTY lines.
| Sw1(config)#username catalyst privilege 15 secret security
Sw1(config)#enable secret security Sw1(config)#exit Sw1# |
Task 3:
| Sw1(config)#aaa new-model
Sw1(config)#aaa authentication login default local Sw1(config)#aaa authentication enable default enable Sw1(config)#line vty 0 15 Sw1(config-line)#login authentication default Sw1(config-line)#exit Sw1(config)#exit Sw1# |
Task 4:
Keep in mind that because there is no actual RADIUS server and any hosts you may have connected to your switch are not configured for 802.1x authentication, we will not see any authenticated host information on the switch.
| Sw1(config)#aaa authentication dot1x default group radius
Sw1(config)#aaa authorization network default group radius Sw1(config)#radius-server host 192.168.1.254 key dot1x Sw1(config)#interface range fastethernet0/1 – 24 Sw1(config-if-range)#dot1x port-control auto Sw1(config-if-range)#exit Sw1(config)#exit Sw1# Sw1#show dot1x interface fastethernet0/1 802.1X is enabled on FastEthernet0/1 Status Unauthorized Port-control Auto Supplicant Not set Multiple Hosts Disallowed Current Identifier 0
Authenticator State Machine State INITIALIZE Reauth Count 0
Backend State Machine State INITIALIZE Request Count 0 Identifier (Server) 0
Reauthentication State Machine State INITIALIZE Sw1# Sw1# Sw1#show dot1x statistics interface fastethernet 0/1
FastEthernet0/1
Rx: EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp/Id Resp/Oth LenError 0 0 0 0 0 0 0
Last Last EAPOLVer EAPOLSrc 0 0000.0000.0000
Tx: EAPOL EAP EAP Total Req/Id Req/Oth 2 0 0 |
Lab 11 Configurations
Sw1 Configuration
| Sw1#show running-config
Building configuration…
Current configuration : 3956 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sw1 ! no logging console aaa new-model aaa authentication login default local aaa authentication enable default enable aaa authentication dot1x default group radius aaa authorization network default group radius enable secret 5 $1$3Dc3$/wfLheMTalRMjokszyF8K/ ! username catalyst privilege 15 secret 5 $1$r5Rt$WSspCtMNiorq8cx65fGqi0 ip subnet-zero vtp domain CISCO vtp mode transparent ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! vlan 2020 name 802-1X-VLAN ! interface FastEthernet0/1 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/2 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/3 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/4 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/5 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/6 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/7 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/8 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/9 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/10 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/11 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/12 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/13 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/14 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/15 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/16 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/17 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/18 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/19 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/20 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/21 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/22 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/23 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface FastEthernet0/24 switchport access vlan 2020 switchport mode access no ip address dot1x port-control auto ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan2020 ip address 192.168.1.1 255.255.255.0 no ip route-cache ! ip http server ! radius-server host 192.168.1.254 auth-port 1812 acct-port 1813 key dot1x radius-server retransmit 3 ! line con 0 line vty 5 15 ! end |
