On Thu, Jul 19, 2012 at 10:20 AM, alan buxey <a.l.m.bu...@lboro.ac.uk> wrote: > Hi, > >> radius-server dead-criteria time 30 tries 3 >> radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key >> pass >> radius-server retransmit 6 >> radius-server timeout 10 >> radius-server vsa send accounting >> radius-server vsa send authentication >> >> >> interface GigabitEthernet0/13 >> switchport mode access >> authentication event server alive action reinitialize >> authentication open >> authentication order mab >> authentication priority mab >> authentication port-control auto >> authentication timer reauthenticate 10 >> authentication timer inactivity 1200 >> mab >> dot1x pae authenticator >> dot1x timeout tx-period 6 >> spanning-tree portfast > > no > > dot1x system-auth-control > > ?? > > > i'd recommend reading the cisco 802.1X guides - the RADIUS server is doing > its job. the switch isnt. > > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan for the response and patience with me :-) I have gone through quite a bit of dot1x guides, mainly: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845 which is relevant to my switch model and IOS image. This is my Cisco config: ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! logging file flash:mab.txt 256000 debugging enable password admin ! username admin privilege 15 password 0 admin ! ! aaa new-model ! ! aaa group server radius test server 10.0.0.90 auth-port 1812 acct-port 1813 ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting dot1x default start-stop group radius aaa accounting dot1x system start-stop group radius aaa accounting network default start-stop group radius ! ! ! aaa session-id common system mtu routing 1500 authentication mac-move permit mab request format attribute 32 vlan access-vlan ip subnet-zero ! ip dhcp pool dpool1 network 10.0.0.0 255.255.255.0 ! ip dhcp pool dpool20 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 ! ! ! ! crypto pki trustpoint TP-self-signed-2405477248 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2405477248 revocation-check none rsakeypair TP-self-signed-2405477248 ! ! crypto pki certificate chain TP-self-signed-2405477248 certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer dot1x system-auth-control ! ! ! archive log config logging enable spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet0/1 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast ! interface GigabitEthernet0/14 ! interface GigabitEthernet0/15 ! interface GigabitEthernet0/16 ! interface GigabitEthernet0/17 ! interface GigabitEthernet0/18 ! interface GigabitEthernet0/19 ! interface GigabitEthernet0/20 ! interface GigabitEthernet0/21 ! interface GigabitEthernet0/22 ! interface GigabitEthernet0/23 ! interface GigabitEthernet0/24 ! interface GigabitEthernet0/25 ! interface GigabitEthernet0/26 ! interface GigabitEthernet0/27 ! interface GigabitEthernet0/28 ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ! interface Vlan20 ip address 10.10.10.1 255.255.255.0 ! ip classless ip http server ip http secure-server ! ! ip radius source-interface Vlan1 ip sla enable reaction-alerts ! radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication ! ! line con 0 logging synchronous line vty 0 4 transport input telnet line vty 5 15 transport input telnet ! end As can bee seen it does include the dot1x system-auth-control..... I am even considering an upgrade of IOS to version 15.0 (if my switch will run it) as older IOS images tend to occassionally have issues with certain things I have found?? Regards, Kaya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
