Issue Description
Hello everyone,
I want to present a quite interesting scenario that you might find helpful sometime.
How about if we want to use 802.1x authentication with a radius server to authenticate
more users on an interface.
Ohh, yes. This is not that hard because we can configure 802.1x based on MAC address
and authenticate all users of the interface.
What if we want to authenticate just some users of the interface and let the others access
our network without any restrictions because they are our really good friends. How can
we do this on our switches?
Solution
To explain our proposed solution I would take as reference the picture bellow :
As you can see they are both connected to the same interface, so what can we do?
First we have to configure the interface as hybrid to allow both tagged and untagged
packets. We also have to enable the voice VLAN function on the interface and to
configure the VLAN in question.
After this we remember that the device can manage users through domains. In this case,
we can configure two domains: one for users that will need radius authentication and we
will name it radius4you domain and one for users that won’t need authentication and we
will call it noauth4phone domain.
For this in the AAA view we will create the domains I have just specified and we will set
a radius authentication scheme to one and no authentication for the lucky one.
After we configure the interface, create the domains and the radius server template
(check the hedex) we should enable and configure the dot1x authentication in the system
and interface view.
As a result the switch authenticates the computer with the radius server conform to
the radius4you domain configured.
Since we don’t want to authenticate the phone we tried to trick the switch with the
dot1x mac-bypass command. Because we used this command, when the switch tries
to authenticate the phone and the dot1x authentication fails, the switch will use the
MAC address of the phone for authentication. Since we created a MAC authentication
domain where no authentication is necessary, when the dot1x authentication fails,
the devices that have the MAC address specified in the mac-authen domain won’t be
authenticated at all.
The configuration example :
System view
#
voice-vlan mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff description phone
//Specifies the OUI address of voice packets that can be transmitted in the voice VLAN
#
#
domain radius4you
#
dot1x enable //enable dot1x in system view
dot1x timer reauthenticate-period 100 //sets the re-authentication interval for 802.1x
authentication
mac-authen enable // enables MAC address authentication
mac-authen domain noauth4phone mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff
//configures an authentication domain for MAC address authentication users
#
AAA view:
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme noauth
authentication-mode none
accounting-scheme default
accounting start-fail online
domain default
domain default_admin
domain radius4you
authentication-scheme radius
radius-server acs
domain noauth4phone // creates nouaht4phone domain in aaa view
authentication-scheme noauth // applies the noauth authentication-scheme to the
noauth4phone domain
The interface view:
#
interface Ethernet5/0/20
voice-vlan 184 enable // configures and enables the 184 voice vlan
voice-vlan mode manual
voice-vlan legacy enable //enables CDP-compatible Voice VLAN function
port hybrid pvid vlan 183
port hybrid tagged vlan 184
port hybrid untagged vlan 183
stp disable
bpdu bridge enable
dot1x mac-bypass //Once 802.1x authentication fails, the device uses the MAC
address for authentication
#
I hope this example is helpful if you want to configure this scenario in the future. Thank you
Comments are closed