Cisco – Configuring a RADIUS server for 802.1x over a Cisco Switch

802.1ciscofreeradiusradiusswitch

I am trying to set up RADIUS authentication over a Cisco switch and I have gone through every tutorial they have.

I am able to get the RADIUS server to authenticate when I access the CLI of the Cisco switch, but I am not sure which setting to change on the switch in order for the RADIUS server to require authentication over the fastEthernet interfaces. I have tried configuring the fastEthernet interfaces for the authentication as well, to no avail. If anyone could give me a pointer on which config item to change in the switch in order to get this to work, that would be great.

I am trying to implement 802.1x network access control rather than AAA switch administration. I already have the AAA up and running(I think) because it will consult with the RADIUS server for me to authenticate me for the enable and config privileges.

I am running it over a Cisco IE 3000, and the RADIUS server is a freeRadius server on 192.168.1.17 with auth-port 1812 and acct-port 1813. Thank you so much for any and all help

Best Answer

I have recently set up RADIUS authentication on a Cisco wireless access point.

Here are the configuration commands (I had to anonymize hostname, SSID name and IP address):

*******-sw#conf  t
Enter configuration commands, one per line.  End with CNTL/Z.
*******-sw(config)#dot11 ssid ***
*******-sw(config-ssid)#authentication open eap eap_methods
*******-sw(config-ssid)#authentication key-management wpa
*******-sw(config-ssid)#exit
*******-sw(config)#interface dot11Radio 1
*******-sw(config-if)#ssid *** (
*******-sw(config-if)#encryption mode ciphers aes-ccm
*******-sw(config-if)#broadcast-key change 600
*******-sw(config-if)#exit
*******-sw(config)#dot1x timeout reauth-period server
*******-sw(config)#radius-server host ***.***.***.*** auth-port 1812 key *******************************
*******-sw(config)#aaa new-model
*******-sw(config)#aaa group server radius rad_eap
*******-sw(config-sg-radius)#server ***.***.***.*** auth-port 1812
*******-sw(config-if)#end
*******-sw#write memory 
Building configuration...
[OK]

On a switch, you need to apply the authentication settings to a Ethernet interface (something like interface GigabitEthernet 0 instead of dot11 ssid wfm) instead of the SSID.

I haven't done it on a wired network switch before so the commands might differ from my AP, see the IOS guide. I hope it helps anyway.

EDIT:

If you want to configure Radius accounting on the Switch as well, add acct-port 1813 to the radius-server host and server commands.

Related Topic