What is best resource for steps to implement 802.1x on ICX7450 and SmartZone
WLAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 05:38 AM
Goal --> implement 802.1x configuration on ICX Switches/WLAN to support 802.1x Authentication for SmartZone WLAN users.
Currently, users are directed to WebAuth Page where login credentials are Authenticated by RADIUS.
Need to ensure proper configurations are applied and VLANs are available on ICXs/WLAN for initial login and Authenticated user connections
Currently, users are directed to WebAuth Page where login credentials are Authenticated by RADIUS.
Need to ensure proper configurations are applied and VLANs are available on ICXs/WLAN for initial login and Authenticated user connections
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 10:41 AM
Have you already configured 802.1x with vlan assignment on your WLAN? Or are you trying to figure out how to set this up across your entire environment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 12:59 PM
1 - I have not yet applied 802.1x vlans - everything is still in default vlan...
2 - Yes. Hoping to find info on necessary ICX configuration for 802.1x and VLANs AND the applicable configuration for SmartZone WLAN config
2 - Yes. Hoping to find info on necessary ICX configuration for 802.1x and VLANs AND the applicable configuration for SmartZone WLAN config
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 10:46 AM
Never got 802.1x to work though it is probably the Microsoft NPS that is the problem.
I have actual RADIUS login working like a champ.
Here was more or less my test configuration, so you can start where I left off about around a year ago if it is of any help. If you get it to work, please let us know.
I have actual RADIUS login working like a champ.
Here was more or less my test configuration, so you can start where I left off about around a year ago if it is of any help. If you get it to work, please let us know.
ver 08.0.80caT211
!
stack unit 1
module 1 icx7150-c12-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-2-sfp-plus-port-20g-module
!
!
no global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
no untagged ethe 1/1/2 to 1/1/12
no spanning-tree
!
vlan 123 name Data by port
tagged ethe 1/2/2 ethe 1/3/1 to 1/3/2
untagged ethe 1/1/1 ethe 1/2/1
no spanning-tree
!
vlan 401 name voice by port
tagged ethe 1/1/1 to 1/1/2 ethe 1/1/4 to 1/1/12 ethe 1/2/1 to 1/2/2 ethe 1/3/1 to 1/3/2
no spanning-tree
!
!
vlan 666 name Restricted-Data by port
no spanning-tree
!
!
!
!
!
!
!
!
!
!
authentication
auth-default-vlan 123
restricted-vlan 666
dot1x enable
dot1x enable ethe 1/1/2 to 1/1/12
dot1x port-control auto ethe 1/1/2 to 1/1/12
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default local
aaa authentication login privilege-mode
console timeout 30
enable aaa console
hostname TESTSW02
ip address 10.1.13.15 255.255.255.0
ip dns domain-list test.testdomain.state.us
ip dns server-address 10.1.5.40 10.1.5.41
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.13.1
!
logging host 10.1.2.3
logging console
logging persistence
mirror-port ethernet 1/1/1
!
no telnet server
username testwan password .....
radius-server host 10.1.120.221 auth-port 1812 acct-port 1813 default key 2 $b24zbw== dot1x
cdp run
fdp run
snmp-server contact Network Operations Center
snmp-server host 10.1.2.3 version v3 priv testwan
snmp-server group testv3 v3 priv access 99 read all write all
snmp-server user testwan testv3 v3 access 99 encrypted auth sha 6974065afb9f99927806e01c6ae2175104870138 priv encrypted aes 6974065bfb9f99927806e01c6ae21751
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
server 10.220.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^C
------------------------------------------------------------------------^C
^C
Temporary Infrastructure Test Switch^C
^C
This system is solely for the use of authorized test personnel.^C
The information contained herein is the property of test and subject to^C
non-disclosure, security, and confidentiality requirements.^C
test will monitor system usage for unauthorized activities.^C
Any user accessing this system expressly consents to such monitoring.^C
^C
Asset xxxxxxxx^C
^C
------------------------------------------------------------------------^C
^C
!
ssh access-group 99
!
!
!
interface ethernet 1/1/1
trust dscp
!
interface ethernet 1/1/2
trust dscp
!
interface ethernet 1/1/3
trust dscp
!
interface ethernet 1/1/4
trust dscp
!
interface ethernet 1/1/5
trust dscp
!
interface ethernet 1/1/6
trust dscp
!
interface ethernet 1/1/7
trust dscp
!
interface ethernet 1/1/8
trust dscp
!
interface ethernet 1/1/9
trust dscp
!
interface ethernet 1/1/10
trust dscp
!
interface ethernet 1/1/11
trust dscp
!
interface ethernet 1/1/12
trust dscp
!
interface ethernet 1/2/1
mon ethernet 1/1/1 both
trust dscp
!
interface ethernet 1/2/2
trust dscp
!
interface ethernet 1/3/1
speed-duplex 1000-full
trust dscp
!
interface ethernet 1/3/2
speed-duplex 1000-full
trust dscp
!
!
!
ip access-list standard 99
sequence 10 permit host 10.1.4.5
sequence 20 permit host 10.6.7.8
sequence 30 permit host 10.9.10.11
!
sflow destination 10.1.2.3 2055
!
lldp run
!
!
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc
!
!
!
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2019 12:55 PM
Thanks for input and providing your example. If progress is made, I will reciprocate.
