Lab Instructions ACS

SNRS

Configuring Cisco Secure ACS and AAA

Objective In this exercise, you will install and configure a Cisco Secure Access Control Server (ACS) 4.1 on Windows 2000 to provide centralized authentication services to Cisco IOS devices. You will take a tour of the interface and features of Cisco Secure ACS, and configure the switch to offload all authentication tasks to the configured ACS server. You will install the ACS server to the lab server system, which is the only network end-system used in this exercise. You will also configure a Cisco Catalyst switch to use authentication, authorization, and accounting (AAA) services to authenticate network administrators and LAN users.

2 Configuring Cisco Secure ACS and AAA © 2007, NIL Data Communications

Figure 1: Lab visual objective

© 2007, NIL Data Communications Configuring Cisco Secure ACS and AAA 3

Command List Use the following commands to complete this exercise:

Command Description

aaa authentication enable default method1 [method2...]

Determines if a user can access the privileged command level

aaa authentication login {default | list-name} method1 [method2...]

Enables AAA authentication at login

aaa new-model Enables the AAA access control model login authentication {default | list-name} Enables AAA authentication for logins tacacs-server host hostname [key string] Specifies a TACACS+ host username name [nopassword | password [encryption-type] password]

Establishes a username-based authentication system at login

aaa authentication dot1x default group radius

Creates an IEEE 802.1x authentication method list

aaa authorization network default group radius

Configures the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment

aaa accounting dot1x default start-stop group radius

Enables AAA accounting and creates method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions; sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process

radius-server host ip-address Specifies the IP address of a RADIUS server host

radius-server key key Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon

dot1x system-auth-control Enables IEEE 802.1x authentication globally on the switch

dot1x port-control auto Enables manual control of the authorization state of the port, and causes the port to change to the authorized or unauthorized state based on the IEEE 802.1x authentication exchange between the switch and the client

dot1x timeout {tx-period | supp-timeout | ...} seconds

Sets various timeouts

dot1x reauthentication Enables periodic reauthentication of the client

dot1x guest-vlan vlan-id Specifies an active VLAN as an IEEE 802.1x guest VLAN

dot1x host-mode multi-host Allow multiple hosts (clients) on an IEEE 802.1x-authorized port

dot1x auth-fail vlan vlan-id Specifies an active VLAN as an IEEE 802.1x restricted VLAN

show dot1x [all | interface] Shows details for an identity profile debug dot1x events Displays major events in the 802.1x

authentication process Table 1: Configuration and monitoring commands used to configure AAA services


Detailed Instructions Follow the steps described in the tasks to complete the exercise.

Task 1: Install Cisco Secure ACS 4.1 for Windows In this task, you will install the Cisco Secure ACS 4.1 software on your lab server.

Step 1 Using terminal services, log in to the AAA Server using the credentials listed in the User Credentials Information section.

Step 2 Open the Cisco Secure ACS Install folder on your desktop. Start the installation process by executing the Setup.exe file in the folder.

Step 3 Click OK if you are warned about memory requirements. The ACS will function normally on the lab platform.

Step 4 Click Accept to acknowledge the terms of the Cisco Secure ACS license agreement.

Step 5 Click Next in the Welcome window.

Step 6 Select all items listed in the Before You Begin window and click Next.

Figure 1: Cisco Secure ACS prerequisites

Step 7 Click Next to accept the default settings in the Choose Destination Location window.


Figure 2: Cisco Secure ACS installation path

Step 8 Select the Also check the Windows User Database radio box in the Authentication Database Configuration window.

Step 9 Select the Yes, refer to “Grant dial-in permission to user” setting check box in the Authentication Database Configuration window and click Next.

Figure 3: Cisco Secure ACS database configuration


Step 10 Check all boxes within the Advanced Options window and click Next.

Figure 4: Cisco Secure ACS advanced options

Step 11 Accept the default settings within the Active Service Monitoring window by clicking Next.

Step 12 Enter any password to protect the Cisco Secure ACS database and click Next.

Step 13 Finally, click Next to complete the installation and start the Cisco Secure ACS services and Cisco Secure ACS administrator.


Figure 5: Finalizing Cisco Secure ACS installation

Step 14 Click Finish to complete the installation.

Verification Step 15 After Cisco Secure ACS has been installed, its user interface should start

automatically. The installation also creates an ACS Admin icon on the desktop of the AAA Server. You may click on the icon to access the ACS administration and configuration interface. A web-based ACS interface will appear in the browser.


Figure 6: Cisco Secure ACS user interface

If the Cisco Secure ACS user interface appears after installation, and contains the elements as seen in Figure 6, the installation of Cisco Secure ACS has been successful.

Task 2: Take a Tour of the Cisco Secure ACS User Interface In this task, you will familiarize yourself with the features and user interface of Cisco Secure ACS software, and change some of the settings required to continue with the next task. You will determine various Cisco Secure ACS information items and document them.

Step 16 On the AAA Server, in the Cisco Secure ACS administration, scroll down to see the details about the software.

Q1: What is the full release version and build number?

_________________________________________________________________

_________________________________________________________________

Step 17 Examine the user setup functions by selecting User Setup in the left frame and clicking the List All Users button.

Q2: How many users are configured?

_________________________________________________________________

_________________________________________________________________


Step 18 Examine the group setup functions by selecting Group Setup in the left frame.

Q3: What group is shown in the Group scroll list?

__________________________________________________________________

__________________________________________________________________

Step 19 Click on the Users in Group button.

Q4: How many users are in the group?

__________________________________________________________________

__________________________________________________________________

Step 20 Examine the system configuration functions by selecting System Configuration in the left frame and selecting Service Control.

Q5: What is the status of the Cisco Secure service, level of detail for logging, and frequency of new file generation?

__________________________________________________________________

__________________________________________________________________

Step 21 Click Cancel to return to the previous menu and select Logging.

Q6: What log targets are enabled?

__________________________________________________________________

__________________________________________________________________

Step 22 Click Cancel to return to the previous menu and select Local Password Management.

Q7: What is the purpose of the password validation option?

__________________________________________________________________

__________________________________________________________________

Step 23 Click Cancel to return to the previous menu and select Cisco Secure Database Replication.

Q8: What is the purpose of the Cisco Secure Replication Setup?

__________________________________________________________________

__________________________________________________________________

Step 24 Click Cancel to return to the previous menu and select ACS Backup.

Q9: Where can the ACS user and group databases be backed up?

__________________________________________________________________

__________________________________________________________________

Step 25 Click Cancel to return to the previous menu and select ACS Restore.

Q10: What components can be backed up and restored?

__________________________________________________________________

__________________________________________________________________


Step 26 Click Cancel to return to the previous menu and select ACS Service Management.

Q11: What are the two ways a system administrator can be notified of logged events?

_________________________________________________________________

_________________________________________________________________

Step 27 Click Cancel to return to the previous menu.

Step 28 Examine the user interface configuration functions by selecting Interface Configuration in the left frame and selecting User Data Configuration.

Q12: Why are user-defined fields useful?

_________________________________________________________________

_________________________________________________________________

Step 29 Click Cancel to return to the previous menu, select Advanced Options, and select all options.

Q13: What is the purpose of selecting advanced options?

_________________________________________________________________

_________________________________________________________________

Step 30 Select Submit and return to the previous menu.

Step 31 Select Administration Control in the left frame.

Q14: What administrator accounts are configured by default?

_________________________________________________________________

_________________________________________________________________

Q15: What is the purpose of the administrator control configuration section?

_________________________________________________________________

_________________________________________________________________

Step 32 Examine the external user database functions by selecting External User Databases in the left frame.

Note If you cannot see the Administration Control button in the left frame due the limited window size, use the Tab key to scroll between the buttons.

Step 33 Select Unknown User Policy.

Q16: Which two options are available if a user is not found in the ACS database? Which of the two options is the default?

_________________________________________________________________

_________________________________________________________________

Q17: Which external databases can be checked for the unknown user?

_________________________________________________________________


__________________________________________________________________

Step 34 Click Cancel to return to the previous menu, select Database Group Mappings, and view the help section.

Step 35 Click Cancel to return to the previous menu and select Database Configuration.

Q18: What can you select in the External User Database Configuration section?

__________________________________________________________________

__________________________________________________________________

Step 36 Click Cancel to return to the previous menu.

Step 37 Examine the reports and activity functions by selecting Reports and Activity in the left frame and selecting Administration Audit.

Q19: What appears in the Administration Audit.csv file?

__________________________________________________________________

__________________________________________________________________

Step 38 Select Online Documentation in the left frame.

Step 39 (Optional) Take a moment to browse the new features, software requirements, and troubleshooting sections of the online documentation.

Task 3: Configure the Cisco Secure ACS Database for Authentication In this task, you will configure the Cisco Secure ACS user database by adding a AAA client (switch) in the ACS database, adding a group, and adding a user to the group.

Step 40 Select Network Configuration in the left frame.

Step 41 Click Add Entry in the Network Device Groups section, and configure a AAA client group named LAN Switches (leave all other fields blank).

Step 42 Click Submit to create the group.

Step 43 Click LAN Switches link and then Add Entry button to configure a AAA client using the following parameters:

Note This TACACS-based entry will be used to authenticate network administrators.

AAA Client Hostname: Switch-TAC+

Client IP address: 10.1.2.1

Shared Secret: vErYrAnDoM

Authenticate Using: TACACS+ (Cisco IOS)

Note In real-life, use a very random string of at least 16 characters for the TACACS+ authentication and encryption key.

Step 44 Click Submit.


Step 45 Click Add Entry again to configure another AAA client using the following parameters:

Note This RADIUS-based entry will be used to authenticate network users.

AAA Client Hostname: Switch-RAD

Note A different hostname must be used although this RADIUS client is the same as the previous TACACS+ client.

Client IP address: 10.1.2.1

Shared Secret: vErYrAnDoM

Authenticate Using: RADIUS (Cisco IOS/PIX 6.0)

Step 46 Click Submit + Apply.

Step 47 Select Interface Configuration in the left frame.

Step 48 Select TACACS+ (Cisco IOS).

Step 49 In the TACACS+ Services section, select Shell (exec) in both the User and Group columns.

Step 50 Scroll down and in the Advanced Configuration Options section of the same window, select all four options.


Note By adding at least one TACACS+ client the TACACS+ interface configuration option becomes available. By adding at least one RADIUS client the RADIUS interface configuration options become available.

Step 52 Create a new user group by clicking Group Setup in the left frame.

Step 53 Select Group 1 from the drop-down list.

Step 54 Rename the group to Administrators by clicking Rename Group, highlighting the existing name, typing in the new group name, and clicking Submit.

Step 55 Modify the password change policy for administrators by selecting Edit Settings and set the group settings as follows:

In the Password Aging Rules section, configure the apply age-by-date rule for 30 days active, warning period of 4, and a grace period of 4.

Leave all other sections at their default values.

Click Submit + Restart.

Step 56 Rename Group 2 to Engineering.

Step 57 Rename Group 3 to Sales.

Step 58 Add a user admin, member of group administrators, to the Cisco Secure ACS database by clicking User Setup in the left-frame.


Step 59 Enter admin as the username.

Step 60 Enter admin as the password.

Step 61 Enter the password again to confirm it.

Step 62 Scroll to the Group selection drop-down menu and assign the user to the Administrators group.

Step 63 Scroll to the Account Disable section, select Disable account if…, and select the Failed attempts exceed: 5 check box.


Step 65 Create another user using username alice with password alice. Make this user a member of the Engineering group.

Step 66 Create another user using username john with password john. Make this user a member of the Sales group.

Verification Step 67 Click List All Users in the User Setup Select frame and verify that the users you

just added are present and correctly configured.

Q20: What is the main difference between the parameters in the user and group setups?

__________________________________________________________________

__________________________________________________________________

Task 4: Configure the Switch to Authenticate Network Administrators against the Cisco Secure Database

In this task, you will configure the Switch in your lab to use the Cisco Secure ACS as the authentication server using the TACACS+ authentication proxy protocol.

Step 68 On the Switch, configure an enable secret ciscosecret.

Step 69 Enable the new model of AAA.

Step 70 Configure the location of the TACACS+ server using the following parameters:

TACACS+ server IP address: 10.1.2.2

TACACS+ encryption key: vErYrAnDoM

Step 71 Configure an emergency local administrator account with the username localadmin and password localadmin.

Note You will be able to use this username to log in if the TACACS+ server is down or misconfigured.

Step 72 Configure a named AAA authentication method list for login authentication, using TACACS+ (group tacacs+, which represents all configured TACACS+ servers) as the first, and the local database as the fallback means of authentication.


Step 73 Apply the configured named authentication method list to the console and all vty lines.

Step 74 For added security, create a default login method, which only uses the enable secret (or enable password, if the enable secret is not configured) to authenticate users. This will serve as a “blanket” authentication requirement, if you forget to apply a specific named login method to a line.

Verification Step 75 From the AAA Server, telnet to the switch (10.1.2.1) by clicking on the icon

Telnet to Router and log in using username admin with password admin. You should successfully log in.

C:\> telnet 10.1.2.1 Username: admin Password: admin

Printout 1: Login to the Switch

Step 76 Enter the privilege mode using the enable password ciscosecret.

SNRSSwitch>enable Password: ciscosecret SNRSSwitch#

Printout 2: Entering privilege mode on the Switch

Note If you cannot login, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.

Task 5: Configure Separate Per-User Enable Passwords In this task, you will configure centralized enable password management using the Cisco Secure ACS software. Currently, the switch only has a single enable password or secret, which is used by all administrators. It might be required, however, to limit the distribution of such secrets to a closed group of administrators, and give each administrator their own enable secret, making it easier to change it more often, and easier to revoke it if it becomes compromised.

Cisco Secure ACS enables per-user enable passwords, where each user can have their own enable password, stored on the central AAA server. To enable this functionality, complete the following steps.

Step 77 In Cisco Secure ACS, edit the Administrators group. In the Enable Options section, select Max Privilege for Any AAA Client and set it to level 15. This will allow these users to access the privileged mode, when the per-user enable secret is stored on the AAA server.

Step 78 Click Submit + Restart to enable the settings.

Step 79 Edit the user admin. Scroll to the Advanced TACACS+ Settings. In the TACACS+ Enable Control section select Use Group Level Setting and in the TACACS+


Enable Password section select the Use Separate Password check box. Enter a password of adminsecret.

Step 80 Click Submit to enable the settings.

Step 81 On the Switch, configure a named AAA authentication method for enable authentication, using TACACS+ as the first, and the enable secret as the fallback means of authentication. The local enable secret will only be used if the TACACS+ server is unavailable.

Verification Step 82 From the AAA Server, telnet to the switch (10.1.2.1) and log in using username

admin with password admin. You should successfully log in.

C:\> telnet 10.1.2.1 Username: admin Password: admin

Printout 3: Login to the Switch

Step 83 Enter the privilege mode using the password adminsecret. As this is your per-user enable password, the transition to the privilege mode should succeed.

SNRSSwitch> enable Password: adminsecret SNRSSwitch#

Printout 4: Entering the privilege mode on the Switch

Note If you cannot login or enter the enable mode, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.

Task 6: Configure 802.1x In this task, you will configure a Switch to authenticate the Desktop via 802.1x, and offload authentication to the Cisco Secure ACS.

Step 84 Log into the Desktop by clicking its icon in the lab topology and authenticating using the credentials listed in the User Credentials Information section.

Step 85 Open Start > Network Connections, right-click on the LAB connection, select Properties, and then select the Authentication tab.

Step 86 Ensure that the Enable Network Access Control Using IEEE 802.1x check box is checked.

Step 87 Select MD5-Challenge as the EAP type.

Step 88 Uncheck the Authenticate as computer when computer information is available checkbox.

Step 89 Click OK.


Step 90 Connect to the Switch; if necessary, log in as admin with password admin and enable password adminsecret.

Step 91 Configure a RADIUS host using the same IP address and key as for the TACACS+ host configuration (IP address 10.1.2.2, key vErYrAnDoM).

Step 92 Create a named 802.1x authentication method list, which uses the default RADIUS group.

Step 93 Configure the Switch for user RADIUS authorization for all network-related service requests.

Note To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

Step 94 Enable IEEE 802.1x authentication globally.

Step 95 Determine the preconfigured VLANs by issuing the show vlan command.

Your list of preconfigured VLANs should resemble the list in Table 1.

VLAN Description

10 Users VLAN used on ports connecting users before 802.1x 20 Management VLAN hosting the Cisco Secure ACS 30 Guest VLAN for users without the 802.1x supplicant or users failing to

authenticate 40 Engineering VLAN for users in the Engineering group 50 Sales VLAN for users in the Sales group 60 Unauthenticated VLAN for devices before 802.1x starts Table 1: Preconfigured VLANs

Step 96 Configure the FastEthernet 0/22 interface connecting to the Desktop for 802.1x authentication using the following characteristics:

Put the port into VLAN 60 (Unauthenticated VLAN) used for unauthenticated users

Enable automatic 802.1x port authorization

Enable periodic re-authentication

Specify an active VLAN 30 (Guest VLAN) as an 802.1x guest VLAN (devices without an 802.1x supplicant)

Specify an active VLAN 30 (Guest VLAN) also as an 802.1x failed VLAN (devices with an 802.1x supplicant but failing to authenticate)

Specify a maximum of two allowed authentication attempts before a port moves to the Guest VLAN

Set the timeout for supplicant reply to 3 seconds

Set the timeout for supplicant retries to 3 seconds

Verification Step 97 On the Switch, shutdown the FastEthernet 0/22 interface.


interface FastEthernet0/22 shutdown

Configuration 1: Shutting down the FastEthernet 0/22 interface on the Switch

Step 98 On the Desktop, right-click on the LAB connection in the Network Connections window and select Disable.

Figure 2: Disable LAB port

Note Because of the architecture of the remote lab it is necessary to use this approach as there are multiple switches between the Switch and the Desktop. A disconnected LAB port on the Desktop is not detected by the Switch, and a shutdown FastEthernet 0/22 interface on the Switch is not detected by the Desktop. We must, therefore, shutdown the FastEthernet 0/22 interface on the Switch and disable the LAB port on the Desktop to simulate a physical PC being connected to the Switch by performing almost simultaneous re-enabling of the two ports.

Step 99 On the Switch, enable 802.1x event debugging.

SNRSSwitch#debug dot1x events

Configuration 2: Enabling the 802.1x event debugging on the Switch

Step 100 Enable the FastEthernet 0/22 interface on the Switch (this starts the 802.1x authentication process) quickly followed by enabling of the LAB port on the Desktop (this starts a new DHCP request) to simulate the physical connection of the PC to the switch. interface FastEthernet0/22 no shutdown

Configuration 3: Enabling the FastEthernet 0/22 interface on the Switch


Note Because there are multiple switches between the Desktop and the Switch it is not possible to test 802.1x authentication. We can, however, test the Guest VLAN functionality as the Desktop will appear to the Switch as a client without a supplicant.

SNRSSwitch(config-if)# 13:22:22: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:22: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/22 has changed to UP 13:22:22: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000 13:22:22: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000 13:22:22: dot1x-ev:Created a default authenticator instance on FastEthernet0/22 13:22:22: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/22 SNRSSwitch(config-if)#13:22:22: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/22 13:22:22: %LINK-3-UPDOWN: Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)# 13:22:23: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:23: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:23: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:26: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:26: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:26: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:29: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:29: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:29: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:32: dot1x-ev:Received an EAP Timeout on FastEthernet0/22 for mac 0000.0000.0000 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Authentication failure due to non responsive client on FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Activating guest VLAN 30 on port 13:22:32: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 30 on interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:vlan 30 vp is added on the interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface FastEthernet0/22 13:22:32: dot1x-ev:Received successful Authz complete for 0000.0000.0000 13:22:32: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:32: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:32: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 13:22:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)#

Printout 5: 802.1x Debugging


Step 101 On the Desktop, open a command prompt and verify the assignment of the IP address from the DHCP pool for the Guest VLAN 30 (the IP address should be from the 10.1.3.0/24 network).

Note If no IP address has been assigned yet, use the ipconfig /renew command to request an address via DHCP again.

C:\WINDOWS>ipconfig Windows IP Configuration Ethernet adapter MGMT: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.250.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter LAB: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.1.3.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.3.1

Printout 6: Desktop received IP address from DHCP pool for Guest VLAN

Note It may take some time for the Desktop to acquire the address as the 802.1x authentication process tries to communicate with the Desktop before giving up and assigning the Desktop to the Guest VLAN.

Step 102 On the Switch, view the 802.1x status of the FastEthernet 0/22 interface. SNRSSwitch#show dot1x interface FastEthernet 0/22 details Dot1x Info for FastEthernet0/22 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 3 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 3 RateLimitPeriod = 0 Auth-Fail-Vlan = 30 Auth-Fail-Max-attempts = 2 Guest-Vlan = 30 Dot1x Authenticator Client List Empty Port Status = AUTHORIZED Authorized By = Guest-Vlan Operational HostMode = MULTI_HOST Vlan Policy = 30

Printout 7: The 802.1x status of the FastEthernet0/22 interface on the Switch

Documents

Lab Instructions ACS