IEEE dot1x is an authentication standard wherein a user is authenticated by an aaa server before it can gain layer 1 access to LAN/Switch. It is one of the topics covered in the CCNP Switch exam however Cisco only covered the switch configuration. In this lab we will try to see it in full action with clients and servers particularly the use of FreeRadius on Centos authenticating a Windows 7 machine.
- Centos running FreeRadius
- Windows 7
- 2950 Switch
The point of this lab is we just wanna see dot1x in action and what does it look like when its trying to authenticate a user accessing our LAN.
I won’t go over how to set up FreeRadius over Centos because I have already covered this in a previous blog:
For this lab I have username: hello password: world
It is basically the same topology like what I had in my freeradius blog. Make sure you can ping the switch from CentOS and vice-versa.
How do you set up your Windows 7?
Click start > on the search box type “services.msc” > look for “Wired AutoConfig”
Change the startup type to Automatic and click the start button.
Click ok…then close the service.msc windows.
Click on the start button again and search for Network and Sharing Center, At the left hand corner click the “Change adapter setting” link. Look for your network adapter > right mouse click > choose properties > click the Authentication Tab
Click the Additional Settings… button, make sure tick the “Specify authentication mode” radio button and choose “User authentication”
Click ok twice and that should be it for windows 7, plug the PCs NIC card to one of the switches’ port configured with dot1x authentication.
Let us console in to the switch and type the following commands:
aaa authentication dot1x default group radius local
interface FastEthernet0/1 (PC is connected here)
switchport mode access
dot1x port-control auto
Save your config and run debug dot1x error, just to monitor what error would come up in the event that authentication fails.
Windows 7 will prompt you for a username and password, in my case it was asked twice. On the switch you can type “show dot1x int fa0/1” and expect to see this:
Windows 7 has been successfully authenticated by FreeRadius via dot1x. The PC has now access to LAN resources.