AAA Configuration on Cisco Switch

In this lesson we will take a look how to configure a Cisco Catalyst Switch to use AAA and 802.1X for port based authentication. If you have no idea what AAA (Authentication, Authorization and Accounting) or 802.1X are about then you should look at my AAA and 802.1X Introduction first. Having said that, let’s look at the configuration. I will use the following topology:

aaa cisco switch elektron radius

I will show you an example of 802.1X with a RADIUS server. I am going to use Elektron RADIUS server as the authentication server because it’s easy to install and has a nice GUI.

RADIUS Server Configuration

Elektron Radius Wizard

Using a RADIUS server like Elektron will save you the time of hassling with installing Windows Server, configuring Active Directory and checking many checkboxes or messing around with Freeradius on Linux. When you configure a RADIUS server you will need to create a shared password:

Elektron Radius Server

I’m going to use “radiuspass” to keep things simple. Hit Next and you will see this:

Elektron Digital Certificate

There are different methods for authentication, for example:

  • Only username and password.
  • Username, password and a digital certificate on the server.
  • Username, password, digital certificate on the server AND on the clients.

In a production network you might already have a certificate authority within your network. I don’t care about certificates for this demonstration but we’ll generate them anyway in case you want to play with them sometime in the future. The next steps will let you configure a name for your RADIUS server and if you want the digital certificate, you will get some questions about it. Once you are done you will be in the main screen of Elektron:

Elektron Main Screen

By default everything should work out of the box so we don’t have to touch anything. Let’s start and add a user account:

Elektron Accounts

I want to create a new user account. Click on authentication, Elektron accounts and then on the big green plus symbol in the menu.

Elektron Add User Account

My new user account will be for Alice. My password will be “safe” and I don’t need her to be member of any groups. Click on OK.

Elektron Authentication Domains

By default Elektron will check Windows usernames instead of its own database. We need to configure it so the local database is used. Click on “Authentication Domains” and then on “Default Authentication Domain”.

Elektron Accounts Authentication

Change it to “Elektron Accounts” and click on OK. That’s all you have to do on the Elektron RADIUS server, we’ll look at the switch now!

Switch Configuration

First I need to make sure SW1 and the Elektron RADIUS server can reach each other. We’ll use the management interface (VLAN 1) and configure an IP address on it:

SW1(config)#interface vlan 1
SW1(config-if)#ip address

Now we should enable AAA:

SW1(config)#aaa new-model

This is an important command. Use aaa new-model to unlock all the different AAA commands that we need. Let’s configure the RADIUS server:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

536 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hello,

    Can we change the time out period when 802.1x fails? for example- The client tries connecting for 802.1x but due to invalid credentials and request timeout. There has been a fallback mechanism to MAC authentication. But default timeout period is 30 seconds. Is there a way we can change this time period on cisco access switch in order to provide faster fallback?

    Thank you

  2. First off if I post this in wrong place let me know and I will move the question to better forum area.

    I am studying AAA Authentication. I keep hearing it stressed to be aware that its best practice to put “local” on the end of your lines in case your tacacs server or radius server goes down.

    For example I setup switch and AAA Server and PC in Boson Simulator to play with and test:

    username brian  password brian
    aaa new-model
    aaa authentication login auth group tacacs+ local
    tacacs-server host 
    line con 0
    line aux 0
    line vty 0 4

    I cr

    ... Continue reading in our forum

  3. Hi Brian,

    Good to hear you figured it out. The output of your Boson simulator was indeed that it was unable to connect so this didn’t have anything to do with your AAA configuration :slight_smile: Boson is nice to practice commands but it’s only a simulator so you can’t really test things.

    If you don’t add anything to your VTY line(s) then it will use the default AAA group. If you want to use RADIUS / TACACS+ authentication for some things but not for your VTY lines, then you can also create a second group and use that for the VTY lines. Something like this:

    ... Continue reading in our forum

  4. Hi Elia,

    It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:

    The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.

    EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client c

    ... Continue reading in our forum

  5. Oh I saw the earlier post. My bad… :frowning:

42 more replies! Ask a question or join the discussion by visiting our Community Forum