Authentication server (Freeradius)
# apt-get install freeradius
# cat /etc/freeradius/clients.conf
# cat /etc/freeradius/users
# cat /etc/freeradius/radiusd.conf
# mkdir /var/log/freeradius/radacct
# chown freerad:freerad /var/log/freeradius/radacct
# cat /etc/freeradius/sites-enabled/default
# /etc/init.d/freeradius stop
# freeradius -X
Authenticator/NAS (Cisco Catalyst 2960)
Switch(config)# aaa new-model
Switch(config)# radius server freeradius
Switch(config-radius-server)# address ipv4 192.168.0.100 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key MYSECRET
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# radius-server vsa send accounting
Switch(config)# radius-server vsa send authentication
Switch(config)# interface FastEthernet0/10
Switch(config-if)# switchport mode access
Switch(config-if)# authentication event fail retry 0 action authorize vlan 30
Switch(config-if)# authentication event no-response action authorize vlan 20
Switch(config-if)# authentication port-control auto
Switch(config-if)# mab eap
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x timeout tx-period 1
Switch(config-if)# spanning-tree portfast
Switch(config)# ip access-list extended user1_acl
Switch(config-ext-nacl)# permit icmp any host 192.168.0.100
Switch# test aaa group radius user1 PASSWORD1 legacy
Switch# !debug dot1x
Supplicant (Windows XP)
C:\> net start "Wired Autoconfig"
NIC > Properties > Authentication
- Enable IEEE 802.1x authentication for this network
- EAP type: MD5-Challenge
References
http://en.wikipedia.org/wiki/IEEE_802.1X
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html
No comments:
Post a Comment