RE: dot1x authentication on 3550

From: jsaxe@Crutchfield.com
Date: Sat Apr 12 2003 - 13:36:14 GMT-3

• Next message: Alec Pun: "OSPF NBMA neighbor problem"
• Previous message: Tom Young: "Ping the ospf interface"
• Maybe in reply to: Raminder Sarna: "dot1x authentication on 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I believe you've almost got it. You've told the switch to require any device
plugged into it to authorize itself with dot1x protocol. The WinXP
workstation recognizes this requirement and prompts you, the human, for a
username/password. You type it in, and the workstation transmits this to the
switch and then crosses its little virtual fingers, waiting for the
response. But you've specifically told the switch to use the "local"
authentication model to check whether username/password combinations are
correct, which means it's looking into its own config for those "username"
statements that you normally use for starting PPP connections between
routers, etc. "local" does not mean the switch is asking the Windows
workstation to locally verify whether the user typed in a correct
username/password, because the workstation is the one that needs to prove
itself to the network -- a rogue workstation could simply lie to the switch
and say, "Yeah, my user proved himself to me, sure!"

Anyway, I believe all you need is a statement like...

username JoeBlow password Super Secret Passphrase

...and then type in this name and password on the workstation to gain entry.
Of course in a real enterprise implementation, the aaa authentication dot1x
statements of all the switches in the building would call for checking
passwords against one or more centralized RADIUS or TACACS+ servers.

-----Original Message-----
From: Raminder Sarna [mailto:raminder_sarna@yahoo.com]
Sent: Saturday, April 12, 2003 8:15 AM
To: CCIELab@groupstudy.com
Subject: dot1x authentication on 3550

i am trying a dot1x authentication on 3550 using
default/local on

aaa . now what do i need to do on a window-xp computer
for it to

work as i keep getting failure when i put in the
username and

password.

the config is as follows :

aa new-model
aa authentication dot1x default local

dot1x re-authentication
dot1x max-req 10
dot1x timeout re-authperiod 20

interface FastEthernet0/3
switchport mode access
no ip address
dot1x port-control auto

• Next message: Alec Pun: "OSPF NBMA neighbor problem"
• Previous message: Tom Young: "Ping the ospf interface"
• Maybe in reply to: Raminder Sarna: "dot1x authentication on 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:51 GMT-3