In this blog post I’m going to describe the configuration commands needed to configure dot1x authentication, as well as the home lab I built to test the basic functionalities of 802.1X port-based authentication with Cisco switches and Cisco ISE.
802.1x Authentication Configuration on Cisco Switches
Here is the Cisco switch 802.1x configuration that worked for me in my home lab.
- Line 131: activates AAA
- lines 134 – 135: defining the Radius server group
- Lines 164 – 166: defining the Radius server and the secret key.
- Line 137: enables AAA dot1x authentication using the default method list, and using the Radius server group defined above.
- Lines 142 – 150: this is the interface connected to the 802.1x supplicant. I put a generic access-list (default_acl) as a default ACL, in case the dACL feature does not work.
802.1x Port-based authentication Home lab topology
Home lab constructs
- IOS images
- one router, the image version does not matter
- one switch with IOS 15.x
- vPC, come built-in within EVE-NG
- Windows 7 Lite: check this article for all details about Windows 7 Lite for Unetlab.
- Cisco ISE 22.214.171.1246
- Vmware Workstation 12 Pro
A Note about the switch IOS image
You probably know, there’s a wish among network engineers to have an emulation tool for switches, that can emulate 100% of the switching features. In this home lab I tested with both of these IOS images:
- Cisco IOL i86bi-linux-l2-adventerprisek9-15.6
- Cisco vIOSl2-15.2
the vIOSl2 comes with more commands. But during the 802.1x port-based authentication rumblings, I spent almost all 3 days (and nights) to figure out what was not working. Story made short, I still did not manage to “manifest” the dACL feature. And I suggest you go with the IOL version.
Home lab router configuration
- DHCP server is configured on the router to serve the subnet 10.2.0.0/16, using a DHCP pool. Don’t forget the IP dhcp excluded addresses, including the switch SVI
- multiple subinterfaces, to serve as gateways for the subnets. Although I could use a layer 3 switch and make SVIs, I wanted to experiment the thing with a router too.
- the router is linked to the switch via a trunk
- the router plays the gateway for ISE. And it connects to ISE through Vmnet2 cloud. Vmnet2 maps to Pcnet 2 in EVE-NG.
Home lab switch configuration
- vlans 1, 13-15 are configured. Vlan 1 is the native VLAN. SVI 1 is used as a source interface for Radius traffic
- all configured interfaces are in access mode, except the link with the router.
- interface E0/2 is not configured with a VLAN id. That’s necessary to demonstrate the power of ISE policies and dynamic VLAN assignment.
- the switch is a 802.1x authenticator
Home lab ISE configuration
- ISE is both the 802.1x authentication database and the Radius server. ISE is configured as a Radius internal server.
- ISE’s default gateway is the lab router
Home lab Windows Lite configuration
- the Windows Lite computer is the 802.1x supplicant. Its NIC card is 802.1x enabled.
- its IP information is set to DHCP