Re: Basic Radius Configuration on Cisco Catalyst Switch

zhir · ‎05-02-2024

Dear Community, i want to integrate DaloRadius with a switch, i have troubles authenticating. and after I set up the radius there won't be any ping between the radius server and the switch, this is what i applied on the switch:

radius-server host 11.11.11.10 auth-port 1812 acct-port 1813 key **********

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius

interface range fa0/1 - 48
dot1x pae authenticator
dot1x port-control auto
exit

Your Assistance is appreciated.

MHM Cisco World · ‎05-02-2024

You need to solve first ping between SW and radius

Show ip route

Check if the SW have IP or radius or default route in routing table

MHM

zhir · ‎05-02-2024

Before applying the radius config, I had ping!

zhir · ‎05-02-2024

Additionally every port i try to connect to stays in orange light

MHM Cisco World · ‎05-02-2024

That can explain little if I am correct

The uplink must not config with dot1x it secure link.

Remove dot1x config from link toward radius server try ping then do

Show aaa server

See if server is appear and UP

MHM

zhir · ‎05-02-2024

Thanks dear, Will do

zhir · ‎05-02-2024

Dear,

I am using a Catalyst 3750 V2 switch and have successfully connected to the DaloRadius server. I can log into the switch with the users I created in the Radius server without any problems. Here is my current configuration:

*Mar 1 03:00:41.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Switch>en
Switch#conf
Switch#sh run
Switch#sh running-config
Building configuration...

Current configuration : 5057 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username admin password 0 Nexus@2022
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/20
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/21
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/22
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/25
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/26
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/27
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/28
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/29
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/30
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/31
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/32
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/33
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/34
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/35
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/36
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/37
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/38
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/39
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/40
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/41
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/42
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/43
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/44
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/45
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/46
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/48
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 11.11.11.13 255.255.255.0
ip access-group INTERNET-ACCESS in
!
ip classless
ip http server
ip http secure-server
!
radius-server host 11.11.11.10 auth-port 1812 acct-port 1813 key ZhirZhir@@
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch#

*Mar 1 03:00:41.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Switch>en
Switch#conf
Switch#sh run
Switch#sh running-config
Building configuration...

Current configuration : 5057 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username admin password 0 Nexus@2022
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/20
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/21
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/22
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/25
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/26
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/27
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/28
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/29
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/30
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/31
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/32
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/33
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/34
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/35
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/36
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/37
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/38
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/39
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/40
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/41
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/42
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/43
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/44
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/45
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/46
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/48
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 11.11.11.13 255.255.255.0
ip access-group INTERNET-ACCESS in
!
ip classless
ip http server
ip http secure-server
!
radius-server host 11.11.11.10 auth-port 1812 acct-port 1813 key ZhirZhir@@
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch#

Now, I want to grant or restrict access to the end users connected to the same switch. I really have no idea where to begin. Essentially, I want any user (or an AP) that is connected to this switch to have their access controlled by the Radius server, similar to how ISPs or hotels operate.

Thank you for your assistance, it is greatly appreciated.

balaji.bandi · ‎05-02-2024

couple of things not clear ?

what Cisco device is this ?

what IOS code running ?

are you trying dot1.x deploying using Dalo radius ?

or is this for device authentication ?

I have used opensource freeradius before it works find most of the switches of cisco - depends on what you looking achieve :

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html

Freeradius have good examples :

https://wiki.freeradius.org/vendor/Cisco

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zhir · ‎05-02-2024

Dear,

I am using a Catalyst 3750 V2 switch and have successfully connected to the DaloRadius server. I can log into the switch with the users I created in the Radius server without any problems. Here is my current configuration:

*Mar 1 03:00:41.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Switch>en
Switch#conf
Switch#sh run
Switch#sh running-config
Building configuration...

Current configuration : 5057 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username admin password 0 Nexus@2022
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/20
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/21
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/22
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/25
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/26
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/27
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/28
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/29
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/30
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/31
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/32
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/33
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/34
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/35
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/36
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/37
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/38
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/39
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/40
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/41
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/42
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/43
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/44
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/45
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/46
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/48
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 11.11.11.13 255.255.255.0
ip access-group INTERNET-ACCESS in
!
ip classless
ip http server
ip http secure-server
!
radius-server host 11.11.11.10 auth-port 1812 acct-port 1813 key ZhirZhir@@
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch#

*Mar 1 03:00:41.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Switch>en
Switch#conf
Switch#sh run
Switch#sh running-config
Building configuration...

Current configuration : 5057 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
username admin password 0 Nexus@2022
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
!
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/20
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/21
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/22
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/25
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/26
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/27
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/28
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/29
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/30
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/31
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/32
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/33
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/34
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/35
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/36
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/37
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/38
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/39
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/40
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/41
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/42
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/43
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/44
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/45
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/46
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 100
switchport mode access
!
interface FastEthernet1/0/48
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 11.11.11.13 255.255.255.0
ip access-group INTERNET-ACCESS in
!
ip classless
ip http server
ip http secure-server
!
radius-server host 11.11.11.10 auth-port 1812 acct-port 1813 key ZhirZhir@@
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch#

Now, I want to grant or restrict access to the end users connected to the same switch. I really have no idea where to begin. Essentially, I want any user (or an AP) that is connected to this switch to have their access controlled by the Radius server, similar to how ISPs or hotels operate.

Thank you for your assistance, it is greatly appreciated.