CCNP Switching - AAAdot1x Lab With Explanation - Sysnet Notes

11/16/2016 CCNP
switching : AAAdot1x Lab with explanation ~ Sysnet Notes
SYSNET NOTES
MicroSoft | Cisco | PaloAlto| Networking Notes| Tips | Troubleshooting
Search
Home Cisco> Routing > Switching > PaloAlto Security Cmd Prompt More>
CCNP switching : AAAdot1x Lab with

explanation
by Shabeer ibm
In computer security,AAA stands for Authentication, Authorization and

Accounting:
• Authentication: Verify the identity of the user, who are you?

• Authorization: What is the user allowed to do? what resources can he/she access?
• Accounting: Used for billing and auditing.
AAA is used in a scenario where a user has to authenticate before getting access to
the network.
Before authentication user wont even get an IP address. The only thing the user is
allowed to do is send his/her credentials which will be forwarded to the AAA server.
If user credentials are OK the port will be unblocked and user will be granted access
to the network.
The IEEE 802.1X standard defines a client-server-based access control and

authentication protocol that restricts unauthorized devices from connecting to a
LAN through publicly accessible ports. The authentication server authenticates each
client connected to a switch port before making available any services offered by the
switch or the LAN.
Check out the below example
http://sysnetnotes.blogspot.com/2013/08/ccnpswitchingaaadot1xlab.html 1/8
11/16/2016 CCNP switching : AAAdot1x Lab with explanation ~ Sysnet Notes
Acme is a small shipping company that has an existing enterprise network

comprised of 2 switches DSW1 and ASW1. The topology diagram indicates their layer
2 mapping. VLAN 40 is a new VLAN that will be used to provide the shipping
personnel access to the server.
For security reasons, it is necessary to restrict access to VLAN 20 in the

following manner:
- Users connecting to ASW1′s port must be authenticate before they are given access
to the network.
- Authentication is to be done via a Radius server:
- Radius server host: 172.120.39.46
- Radius key: rad123
- Authentication should be implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
- Packets from devices in the address range of 172.120.40.0/24 should be passed on
VLAN 20.
- Packets from devices in any other address range should be dropped on VLAN 20.
- Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have
been tasked with implementing the above access control as a pre-condition to
installing the servers.
You must use the available IOS switch features.
Solution
NOTE : Authentication should be Implemented as close to the host device as possible

in this case “ASW1″. VLAN filtering should be Implemented as close to the server
farm as possible in this case “DSW1″.
This scenario in particular mentions that there is a new VLAN 40 added to the
network, however, it does not tell you to configure anything using VLAN 40 so you
can ignore it.
Only ports on VLAN 20 are required to be secured using dot1x authentication and
the only port configured on VLAN 20 is fa0/1 (this is why ports Fa0/2 and Fa0/3 are
not configured with authentication).
Only 172.120.40.0/24 network should be passed on VLAN 20 and packets from

devices in any other address range should be dropped on VLAN 20. This suggests
that vlan 20 is the only vlan where you need to configure on access-map
First we have to enable aaa authentication on ASW1
1. ASW1(config)#aaa new-model
2. ASW1(config)#radius-server host 172.120.39.46 key rad123
3. ASW1(config)#aaa authentication dot1x default group
radius
4. ASW1(config)#dot1x system-auth-control
Explanation
1. This is an important command.it enable AAA on the switch globally

2. We configure ASW1 with the IP address of RADIUS server given and given the
radiusClick
key "rad123" as per requirement.
here to View and Download complete CCNA + CCNP PDF Notes
3. This is how we configure ASW1 to use the RADIUS server for authentication for
802.1X enabled interfaces. You can create multiple groups with RADIUS servers
if you want.here we have one RADIUS server which is in the default group.
4. We need to use the dot1x system-auth-control command globally before 802.1X
works
Conﬁgure Fa0/1 to use 802.1x:
1. ASW1(config)#interface fastEthernet 0/1
2. ASW1(config-if)#switchport mode access (Optional)

3. ASW1(config-if)#switchport access vlan 20(Optional)
4. ASW1(config-if)#dot1x port-control auto
5. ASW1(config-If)#no shut
6. ASW1(config-If)#exit
On the interface level we need to use the "dot1x port-control auto" command.In
auto mode no client connected to that port will be allowed to pass user traffic until
the port has been authorized by the authorization server.
NOTE :Verify configuration using "Show run" command and save the configuration
using "copy run start"
Configuring DSW1 Switch
We need to configure VLAN ACL here.Creating of VLAN ACL includes 3 step
1. Create Access-List
2. Create Access MAP
3. Applying to a VLAN
Configuring Access list
1. DSW1#conf terminal
2. DSW1(config)#ip access-list standard 10
3. DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
4. DSW1(config-std-nacl)#exit
Click here to View and Download complete CCNA + CCNP PDF Notes
Create Access MAP
1. DSW1(config)#vlan access-map MYMAP 1

2. DSW1(config-access-map)#match ip address 10
3. DSW1(config-access-map)#action forward
4. DSW1(config-access-map)#exit
5. DSW1(config)# vlan access-map MYMAP 2
6. DSW1(config-access-map)# action drop
7. DSW1(config-access-map)# exit
Explanation
1. ”1″ is the line number 1 of the access-map named “MYMAP”

2. ”10″ is the access-list number used to identify the ACL
3. This is the action that will be applied to the traffic matched on ACL “10″ .Here
we need to allow traffic so we give "action forward"
4. Even there is a implicit deny at the end like normal ACL,here we giving "action
drop" statement to deny other traffic
Apply on VLAN
1. DSW1(config)#vlan filter MYMAP vlan-list 20

2. DSW1(config)#exit
NOTE : Applies the VLAN access-map named “MYMAP” to vlan 20 DSW1.Verify and
save the configuration
Related articles
What is Multi VLAN port ?

What is VLAN Hopping
What is QinQ ( 802.1Q tunneling ) ?
How to configure Private VLAN
VLAN Trunking Protocol (VTP) explained with Interview Questions
Spanning-tree protocol Notes with Interview Questions
Difference between End-to-end VLANs and Local VLANs
8 Comments:
Rahul
August 12, 2013 at 12:22 AM
Thanks for explanation.I am currently preparing for

CCNP
REPLY
Patrick Denis
June 10, 2014 at 10:59 AM
thank you !
REPLY
Ken
June 22, 2014 at 9:43 PM
thx bro
REPLY
Paras DESAI
June 24, 2014 at 1:32 AM
what doe VLAN-LIST 20 do ?

REPLY
Nate Hedstrom
July 2, 2015 at 12:28 AM
It applies the access map to the vlan (in this case traffic on vlan 20 will be applied
against the access map - via entries from the access-list)
REPLY
Unknown
May 31, 2016 at 11:50 PM
Thank you,this helped a lot

REPLY Click here to View and Download complete CCNA + CCNP PDF Notes
Anonymous
August 17, 2016 at 12:14 AM
You use 172.120.39.46 as a radius server. so its not block by ACL!

REPLY
Luis
August 22, 2016 at 10:55 PM
Thanks a lot!
REPLY
Enter your comment...
Comment as: Select profile...
Publish
Preview
Links To This Post
Create a Link
NEXT POST: CCNP : Configuring VLAN ACLs

PREVIOUS POST: CCNP Notes : what is Cisco Nonstop Forwarding (NSF)
VISITORS FACEBOOK FOLLOW BY EMAIL
Email address... Submit
Sysnetnotes
448 likes
BUY PDF NOTES

V I A PAY PA L
Like Page Share
CCNA + CCNP PDF
notes + Interview
Be the first of your friends to like thisQuestions for 10$
CCNA PDF notes and
Interview questions
for 7$
T O TA L PA G E V I E W S
LABELS 2,074,629
AAA Access list Active
directory ARP ASA basic
Basics Batch file BGP
CCNA CCNP
Routing CCNP
Switching cisco
Cisco ISE cmd prompt
Live Traffic Feed Commands
A visitor from Imus, Cavite Configuration DHCP
viewed "CCNP switching : EIGRP error
AAAdot1x Lab with Etherchannel FAQ
explanation ~ Sysnet Notes" 1
A visitor from Egypt viewed Firewall FortiGate GPO
min ago
"Basic CCNA Interview HSRP internet explorer
Questions AND Answers ~ Interview IPv6 Kali
Sysnet Notes" 2 mins ago
A visitor from Brazil viewed
kaspersky LAB linux
Lockout lotus notes
"How to ping multiple ip magicjack MCP MPLS MST
addresses from cmd prompt ~network monitoring
A visitor from Cambodia OSPF paloalto Private
viewed "EIGRP Authentication VLAN Routing Security
~ Sysnet Notes" 9 mins ago short notes software
A visitor from Jakarta, JakartaSPAN Static routing STP
Raya viewed "Basic CCNA
Interview Questions AND
Switching tips
Troubleshooting
Answers ~ Sysnet Notes" 10
A visitor from United Kingdom
mins ago Trustsec VLAN VMware
viewed "CCNP Switching ~ VPN VTP windows
Sysnet Notes" 12 mins ago wireless
A visitor from United Kingdom
viewed "Basic CCNA Interview
Questions AND Answers ~
A visitor from Egypt viewed
"EIGRP Notes with Interview
Questions ~ Sysnet Notes" 15
mins ago
A visitor from India viewed
"Basic CCNA Interview
Questions AND Answers ~
A visitor from India viewed
"Home ~ Sysnet Notes" 16 mins
ago
Realtime view · Get Feedjit
© 2016 Sysnet Notes

CCNP Switching - AAAdot1x Lab With Explanation - Sysnet Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP Switching - AAAdot1x Lab With Explanation - Sysnet Notes

Uploaded by

Copyright:

Available Formats

11/16/2016 CCNP

CCNP switching : AAAdot1x Lab with

In computer security,AAA stands for Authentication, Authorization and

• Authentication: Verify the identity of the user, who are you?

The IEEE 802.1X standard defines a client-server-based access control and

Check out the below example

Acme is a small shipping company that has an existing enterprise network

For security reasons, it is necessary to restrict access to VLAN 20 in the

NOTE : Authentication should be Implemented as close to the host device as possible

Only 172.120.40.0/24 network should be passed on VLAN 20 and packets from

First we have to enable aaa authentication on ASW1

1. This is an important command.it enable AAA on the switch globally

Conﬁgure Fa0/1 to use 802.1x:

1. ASW1(config)#interface fastEthernet 0/1

2. ASW1(config-if)#switchport mode access (Optional)

Configuring DSW1 Switch

We need to configure VLAN ACL here.Creating of VLAN ACL includes 3 step

Configuring Access list

Create Access MAP

1. DSW1(config)#vlan access-map MYMAP 1

1. ”1″ is the line number 1 of the access-map named “MYMAP”

1. DSW1(config)#vlan filter MYMAP vlan-list 20

What is Multi VLAN port ?

Thanks for explanation.I am currently preparing for

what doe VLAN-LIST 20 do ?

Thank you,this helped a lot

You use 172.120.39.46 as a radius server. so its not block by ACL!

NEXT POST: CCNP : Configuring VLAN ACLs

VISITORS FACEBOOK FOLLOW BY EMAIL

BUY PDF NOTES

© 2016 Sysnet Notes

You might also like