Home The 802.1x wired lab
Post
Cancel

The 802.1x wired lab

Operation Summary

Today I tested 802.1x lab with cisco 2960 switch as Authenticator, DaloRadius as Authentication Server and Two window 7 clients as supplicant. Although EAP support different kind of authentication mechanisms, I use simple username and password authentication for lab.

Window shadow

Server Config

Radius Installtion

1
2
3
$ yum -y install freeradius freeradius-utils freeradius-mysql #installtion of free radius.
$ systemctl enable radiusd --now #mask radius service enable on boot and start the service.
$ systemctl enable firewalld --now #mask firewall service enable on boot and start the service.

Firewall Configuration

1
2
3
$ firewall-cmd --add-service=radius --permanent #firewall rule for radius service port.
$ firewall-cmd --reload #reload the firewall rules.
$ firewall-cmd --list-services --zone=public #check radius service port allowed or not.

Radius Configuration

1
$ vim /etc/raddb/clients.conf
1
2
3
4
client 192.168.0.0/24 {
    secret      = cisco
    shortname   = switch
}
1
$ vim /etc/raddb/users
1
2
3
4
5
kpps        Cleartext-Password := "Secret"
            Reply-Message = "Hello, %u"
test        Cleartext-Password := "Test"
            Reply-Message = "Hello, %u"
1
$ systemctl restart radius

If you want to see the processes more details please run radius service with debug mode.

1
2
$ systemctl stop radiusd
$ radiusd -X

Switch Configuration

Establish connection betweeen server and switch

1
2
3
4
5
6
7
8
9
switch(config)#interface vlan2
switch(config-if)#ip address 192.168.88.31 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#interface GigabitEthernet1/0/1
switch(config-if)#switchport mode access
switch(config-if)#interface GigabitEthernet1/0/2
switch(config-if)#switchport mode access
switch(config-if)#interface GigabitEthernet1/0/3
switch(config-if)#switchport mode access

AAA configuration

1
2
switch(config)#aaa new-model
switch(config)# radius-server host 192.168.88.137 auth-port 1812 acct-port 1813 key cisco

802.1x authentication and accounting configuration

1
2
3
4
5
6
7
8
9
switch(config)# aaa authentication dot1x default group radius
switch(config)#aaa accounting dot1x default start-stop group radius
switch(config)#interface GigabitEthernet1/0/2
switch(config)#authentication port-control auto
switch(config)#dot1x pae authenticator
switch(config)#interface GigabitEthernet1/0/3
switch(config)#authentication port-control auto
switch(config)#dot1x pae authenticator
switch(config)#do wr

Testing

Configure static ip address for two window clients. Configure 802.1x client authentication 1) Run > services.msc > Wired AutoConfig, right click and start the service. 2) Control Panel > Network and Sharing Center > Change adapter settings > Interface Properties > Authentication Window shadow

1
2
3
4
5
        3) Choose a network authentication method: Settings configuration was as follow ![Window shadow](/posts/20181207/step3.png){: .shadow width="1548" height="864" style="max-width: 90%" }

        4) Additional Settings was as follow was as follow ![Window shadow](/posts/20181207/step4.png){: .shadow width="1548" height="864" style="max-width: 90%" }

        5) And set username and password that were configured in radius users config file under “Save credentials”

Result

I transfer file between two client and got the result as follow. Window shadow

This post is licensed under CC BY 4.0 by the author.

SSH Gateway

The IEEE 802.1x Standard