CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

802.1x Authentication

Lab 11 

Catalyst Switch 802.1x Authentication

Back to book index.

Lab Objective:

The objective of this lab exercise is for you to learn and understand how enable 802.1x authentication on Cisco IOS Catalyst switches.

Lab Purpose:

802.1x is used to provide Catalyst switch access port security by authenticating users before allowing them to pass traffic through ports on Cisco IOS Catalyst switches.

Lab Difficulty:

This lab has a difficulty rating of 7/10.

Readiness Assessment:

When you are ready for your certification exam, you should complete this lab in no more than 15 minutes. 

Lab Topology:

Please use any single switch to complete this lab:

Lab 11 1

NOTE:

 

This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges used in this lab with those available on your switch. For example, if you only have 12-10/100 FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute GigabitEthernet0/1 and GigabitEthernet0/2 with FastEthernet0/11 and FastEthernet0/12, for example.

 

In addition to this, the RADIUS server is not required. It is depicted here for the purposes of being thorough! RADIUS server configuration is beyond the scope of this course.

Lab 11 Configuration Tasks 

Task 1:

Configure the hostname on Sw1 as illustrated in the diagram. In addition to this, configure the following VLANs on Sw1:

VLAN Number VLAN Name VLAN Ports
2020 802-1X-VLAN FastEthernet0/1 – FastEthernet0/24

In addition to this, configure interface VLAN 2020 on Sw1 and assign the interface and IP address of 192.168.1.1/24. Verify your configuration.

Task 2:

Configure user catalyst with a password of security on Sw1. This user should have Level 15 access privileges on the switch. Configure a secret password on Sw1 of security.

Task 3:

Configure Authentication on Sw1 so that all users are authenticated against the local database. In addition to this, enable access should use the enable secret for authentication.

Task 4:

Configure 802.1x authentication on ports FastEthernet0/1 – 24 on Sw1. 802.1x authentication will be performed by a RADUIS server with the IP address 192.168.1.254. This RADIUS server should use the password dot1x for authentication. Verify your configuration. 

Lab 11 Configuration and Verification

Task 1:

To complete this Task, you will need to enable VTP Transparent mode so that you can configure extended range VLANs on the switch.

Switch(config)#hostname Sw1

Sw1(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.

Sw1(config)#vlan 2020

Sw1(config-vlan)#name 802-1X-VLAN

Sw1(config-vlan)#exit

Sw1(config)#interface range fastethernet0/1 – 24

Sw1(config-if-range)#switchport mode access

Sw1(config-if-range)#switchport access vlan 2020

Sw1(config-if-range)#no shutdown

Sw1(config-if-range)#exit

Sw1(config)#interface vlan 1

Sw1(config-if)#shutdown

Sw1(config-if)#exit

Sw1(config)#interface vlan 2020

Sw1(config-if)#no shutdown

Sw1(config-if)#ip address 192.168.1.1 255.255.255.0

Sw1(config-if)#exit

Sw1(config)#exit

Sw1#

Sw1#

Sw1#show vlan brief

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    Gi0/1, Gi0/2

1002 fddi-default                     active

1003 trcrf-default                    active

1004 fddinet-default                  active

1005 trbrf-default                    active

2020 802-1X-VLAN                      active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Sw1#

Sw1#show interface vlan 2020

Vlan2020 is up, line protocol is up

Hardware is CPU Interface, address is 000d.bd06.4100 (bia 000d.bd06.4100)

Internet address is 192.168.1.1/24

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

—-[Truncated Output]—-

 

NOTE: Keep in mind that if you have no active ports in VLAN2020 that are up, interface VLAN2020 will show a down/down status. This is normal behavior.

 Task 2:

To successfully complete this Task, keep in mind that switches have 16 VTY lines.

Sw1(config)#username catalyst privilege 15 secret security

Sw1(config)#enable secret security

Sw1(config)#exit

Sw1#

 Task 3:

Sw1(config)#aaa new-model

Sw1(config)#aaa authentication login default local

Sw1(config)#aaa authentication enable default enable

Sw1(config)#line vty 0 15

Sw1(config-line)#login authentication default

Sw1(config-line)#exit

Sw1(config)#exit

Sw1#

 Task 4:

Keep in mind that because there is no actual RADIUS server and any hosts you may have connected to your switch are not configured for 802.1x authentication, we will not see any authenticated host information on the switch.

Sw1(config)#aaa authentication dot1x default group radius

Sw1(config)#aaa authorization network default group radius

Sw1(config)#radius-server host 192.168.1.254 key dot1x

Sw1(config)#interface range fastethernet0/1 – 24

Sw1(config-if-range)#dot1x port-control auto

Sw1(config-if-range)#exit

Sw1(config)#exit

Sw1#

Sw1#show dot1x interface fastethernet0/1

802.1X is enabled on FastEthernet0/1

Status                Unauthorized

Port-control          Auto

Supplicant            Not set

Multiple Hosts        Disallowed

Current Identifier    0

 

Authenticator State Machine

State               INITIALIZE

Reauth Count        0

 

Backend State Machine

State               INITIALIZE

Request Count       0

Identifier (Server) 0

 

Reauthentication State Machine

State               INITIALIZE

Sw1#

Sw1#

Sw1#show dot1x statistics interface fastethernet 0/1

 

FastEthernet0/1

 

Rx: EAPOL     EAPOL     EAPOL     EAPOL     EAP       EAP       EAP

Start     Logoff    Invalid   Total     Resp/Id   Resp/Oth  LenError

0         0         0         0         0         0         0

 

Last      Last

EAPOLVer  EAPOLSrc

0         0000.0000.0000

 

Tx: EAPOL     EAP       EAP

Total     Req/Id    Req/Oth

2         0         0

Lab 11 Configurations

Sw1 Configuration

Sw1#show running-config

Building configuration…

 

Current configuration : 3956 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Sw1

!

no logging console

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization network default group radius

enable secret 5 $1$3Dc3$/wfLheMTalRMjokszyF8K/

!

username catalyst privilege 15 secret 5 $1$r5Rt$WSspCtMNiorq8cx65fGqi0

ip subnet-zero

vtp domain CISCO

vtp mode transparent

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

vlan 2020

name 802-1X-VLAN

!

interface FastEthernet0/1

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/2

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/3

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/4

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/5

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/6

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/7

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/8

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/9

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/10

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/11

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/12

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/13

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/14

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/15

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/16

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/17

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/18

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/19

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/20

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/21

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/22

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/23

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface FastEthernet0/24

switchport access vlan 2020

switchport mode access

no ip address

dot1x port-control auto

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan2020

ip address 192.168.1.1 255.255.255.0

no ip route-cache

!

ip http server

!

radius-server host 192.168.1.254 auth-port 1812 acct-port 1813 key dot1x

radius-server retransmit 3

!

line con 0

line vty 5 15

!

end

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.