tag:blogger.com,1999:blog-5582579710677652457.post2538605344045449714..comments2024-02-03T11:12:30.933+05:00Comments on GNS3 Labs | CCNP | CCNA Labs: AAA dot1x Lab Switch SimWaqas Azamhttp://www.blogger.com/profile/09328291791998119493noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-5582579710677652457.post-90448013863038223482017-11-28T18:42:25.536+05:002017-11-28T18:42:25.536+05:00VACL works only in IOU VM as well as private VLANs...VACL works only in IOU VM as well as private VLANs but you must memorize the commands:<br />ASW1(config)#radius-server host 172.189.29.100 key ciscoradius<br />ASW1(config-if)#dot1x port-control auto<br />These 2 commands that you need to memorize works but you need to type them word for word.Anonymoushttps://www.blogger.com/profile/12129660008121050073noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-83319680998629063432017-04-21T15:10:23.100+05:002017-04-21T15:10:23.100+05:00Hello Matthew,
I have EXACTLY the same issue with ...Hello Matthew,<br />I have EXACTLY the same issue with you. All the questions were right except this lab. Could you please tell me what you did to overcome this issue. What is the solution of this Lab??<br />Thanks in advance.SoRehttps://www.blogger.com/profile/08616054001752023862noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-61225030702677784962017-02-24T02:20:11.591+05:002017-02-24T02:20:11.591+05:00I tested dot1x with a 2940 (12.1.22ea14) and a 296...I tested dot1x with a 2940 (12.1.22ea14) and a 2960 (15.0.2se10a). These are my notes:<br /><br />Using a single machine with two network interfaces as both radius server and dot1x client works here....<br /><br /><br />freeradius 3.x server setup:<br />---------------------------------------------------------------<br />eth1: flags=4163 mtu 1500<br /> inet 10.10.20.1 netmask 255.255.255.0 broadcast 10.10.20.255<br /><br />/etc/raddb/clients.conf:<br />client cisco {<br /> ipaddr = 10.10.20.0/24<br /> secret = radiuskey<br /> }<br /><br />/etc/raddb/users:<br />radius Cleartext-Password := "Cisco123"<br />mydot1xuser Cleartext-Password := "mydot1xpw"<br /><br /># radiusd -X<br />--------------------------------------------------------------<br /><br /><br />dot1x client setup:<br />------------------------------------------------------------<br />eth0: flags=4163 mtu 1500<br /> inet 10.10.10.99 netmask 255.255.255.0 broadcast 10.10.10.255<br /><br />/etc/wpa_supplicant/wpa_supplicant.conf:<br />ctrl_interface=/var/run/wpa_supplicant<br />eapol_version=2<br />ap_scan=0<br />fast_reauth=1<br /><br />network={<br /> key_mgmt=IEEE8021X<br /> eap=TTLS MD5<br /> identity="mydot1xuser"<br /> anonymous_identity="mydot1xuser"<br /> password="mydot1xpw"<br /> phase1="auth=MD5"<br /> phase2="auth=PAP password=mydot1xpw"<br /> eapol_flags=0<br />}<br /><br /># wpa_supplicant -i eth0 -Dwired -c /etc/wpa_supplicant/wpa_supplicant.conf -d <br />--------------------------------------------------------------<br /><br /><br />c2960 switch with 15.0.2:<br />------------------------<br />hostname DSW1<br />sdm prefer lanbase-routing<br />! reload after this. you may now have multiple active SVIs.<br />!<br />vlan 10<br /> name clients<br />vlan 20<br /> name servers<br />! <br />no ip domain-lookup<br />aaa new-model<br />dot1x system-auth-control<br />! <br />! <br />radius server RADIUSSRV1<br /> address ipv4 10.10.20.1 auth-port 1812 acct-port 1813<br /> key radiuskey<br />!<br />dot1x system-auth-control<br />aaa authentication dot1x default group radius<br />!<br />interface GigabitEthernet0/1<br /> description TRUNK to ASW<br /> switchport mode trunk<br />! <br />interface GigabitEthernet0/8<br /> description TO RADIUS<br /> switchport access vlan 20<br /> switchport mode access<br />! <br />interface Vlan10<br /> description client gateway, ping this from client when auth ok<br /> ip address 10.10.10.1 255.255.255.0<br />! <br />interface Vlan20<br /> description mgmtinterface, also for radius traffic<br /> ip address 10.10.20.10 255.255.255.0<br />! <br />ip default-gateway 10.10.20.1<br />ip radius source-interface Vlan20 <br />!<br />interface GigabitEthernet0/2<br /> description DOT1xport to client<br /> switchport access vlan 10<br /> switchport mode access<br /> authentication port-control auto<br /> authentication periodic<br /> authentication timer reauthenticate 60<br /> dot1x pae authenticator<br /> spanning-tree portfast<br />----------------------------<br /><br /><br />c2940 with 12.1.22<br />----------------------<br />hostname ASW1<br />vlan 10<br /> name clients<br />vlan 20<br /> name servers<br />aaa new-model<br />radius-server host 10.10.20.1 auth-port 1812 acct-port 1813 key radiuskey<br />aaa authentication dot1x default group radius<br />dot1x system-auth-control <br />!<br />interface FastEthernet0/1<br /> description DOT1xport to client<br /> switchport access vlan 10<br /> switchport mode access<br /> dot1x port-control auto <br /> dot1x timeout reauth-period 60<br /> dot1x reauthentication <br /> spanning-tree portfast<br />!<br />interface FastEthernet0/8<br />! yeah, this hangs off DSW above. If all you have is a 2940/2950, adapt as needed.<br /> description TRUNK to DSW<br /> switchport mode trunk<br />!<br />interface Vlan20<br /> description mgmtinterface, also for radius traffic<br /> ip address 10.10.20.20 255.255.255.0<br /> no ip route-cache<br />------------------------<br /><br />dagbhttps://www.blogger.com/profile/15220379414922210206noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-7410046174512390582017-02-19T07:18:49.866+05:002017-02-19T07:18:49.866+05:00Cisco Nexus Titanium (Nexus Titanium-VM-51.2) supp...Cisco Nexus Titanium (Nexus Titanium-VM-51.2) supports VACLs =)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-5723487340505830162016-10-05T23:31:02.451+05:002016-10-05T23:31:02.451+05:00vlan access-map is not supported by emulator(packe...vlan access-map is not supported by emulator(packet tracer,gns,etc...) as it is a hardware "feature" on cisco devices. youll need atleast 1 working cisco 3750 to try these commands. BUT i think maybe Cisco IOU supports this as Cisco IOU is usually used on CCIE tests and i think it should support it, also i saw GNS3 have support for implementig l2/l3 IOU IOS... Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-70574406230369064742016-09-14T18:07:25.135+05:002016-09-14T18:07:25.135+05:00where can i get the downloadwhere can i get the downloadLee T B Thttps://www.blogger.com/profile/01209467288215283999noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-33089555439331324302016-09-12T14:36:28.493+05:002016-09-12T14:36:28.493+05:00vlan access-map commands are not working on gns3. ...vlan access-map commands are not working on gns3. is it normal or am i missing something ?Please guide. Anonymoushttps://www.blogger.com/profile/14226242573812058777noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-54051203878269654282016-06-24T15:18:03.290+05:002016-06-24T15:18:03.290+05:00Have these labs been removed?Have these labs been removed?Anonymoushttps://www.blogger.com/profile/05920173587598069678noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-29103511548048637512016-06-15T12:47:01.116+05:002016-06-15T12:47:01.116+05:00Why you configured access MAP on vlan 10 , and ACL...Why you configured access MAP on vlan 10 , and ACL on vlan 11 ?Anonymoushttps://www.blogger.com/profile/11746786921355293672noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-44077541960209981402016-04-05T23:38:32.669+05:002016-04-05T23:38:32.669+05:00the GNS FILE ??the GNS FILE ??lalogallardohttps://www.blogger.com/profile/02499600427467980479noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-65611310356978541282016-03-13T23:46:35.376+05:002016-03-13T23:46:35.376+05:00Hello Guys,
Is this the right configuration for A...Hello Guys,<br /><br />Is this the right configuration for AAAx?<br />Step1: Console to ASW1 from PC console 1<br />Configure authenticate via a Radius server on ASW1<br />ASW1(config)#aaa new-model<br />ASW1(config)#radius-server host [IP radius server] key rad123<br />ASW1(config)#aaa authentication dot1x default group radius<br />Enable 802.1x on the switch:<br />ASW1(config)#dot1x system-auth-control<br />Configure Fa0/1 to use 802.1x:<br />ASW1(config)#inter fastEthernet 0/1<br />ASW1(config-if)#switchport mode access (rewrited this command even that existed in config)<br />ASW1(config-if)#switchport access vlan 20 (rewrited this command even that existed in config)<br />ASW1(config-if)#dot1x port-control auto<br />ASW1(config-if)#no shutdown (just in case to be sure)<br />ASW1(config-if)#exit<br />ASW1#copy run start<br />Step2: Console to DSW1 from PC console 2<br />Packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.<br />Define an access list:<br />DSW1(config)#access-list 11 permit 172.120.40.0 0.0.0.255<br />DSW1(config-ext-nacl)#exit<br />DSW1(config)#vlan acess-map MYMAP 10<br />DSW1(config-access-map)#match ip address 11<br />DSW1(config-access-map)#action forward<br />DSW1(config-access-map)#exit<br />DSW1(config)#vlan access-map MYMAP 20<br />DSW1(config-access-map)#action drop<br />DSW1(config-access-map)#exit<br />DSW1(config)#vlan filter MYMAP vlan-list 20<br />DSW1#copy run startAnonymoushttps://www.blogger.com/profile/11592375732328258025noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-26635702985333587262016-01-05T22:22:00.711+05:002016-01-05T22:22:00.711+05:00Authentication Initiation and Message Exchange
Th... Authentication Initiation and Message Exchange<br /><br />The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x pae authenticator and authentication port-control auto interface configuration commands (dot1x port-control auto command in Cisco IOS Release 12.2(33)SXH and earlier releases), the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). When the client receives the frame, it responds with an EAP-response/identity frame.<br /><br />If the client does not receive an EAP-request/identity frame from the switch during bootup, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity. Bruno Faveronoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-16560881496832914112015-09-10T07:52:13.206+05:002015-09-10T07:52:13.206+05:00when using the command 'dot1x port-control aut...when using the command 'dot1x port-control auto' I have to use "ip routing" on the port for the dot1x command to be available. once I enter the 'dot1x port-control auto' and look at the running config I see: interface FastEthernet1/0/23<br /> no switchport<br /> no ip address<br /> dot1x pae authenticator<br /> dot1x port-control auto<br /> dot1x violation-mode protect<br /><br />is there anything else to the commands for this lab? is this expected but not mentioned in the turorial?<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-43391351733993706992015-08-28T03:22:53.608+05:002015-08-28T03:22:53.608+05:00I've tried this on a newer 4948 and 3750 and I...I've tried this on a newer 4948 and 3750 and I can enter the command but then it adds the latter commands to the config after the fact. If you can't enter it at all then you might want to make sure that the switchport is in access mode.Kiwi Markhttps://www.blogger.com/profile/09229355774698489361noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-24650605919196539412015-08-25T19:02:08.783+05:002015-08-25T19:02:08.783+05:00"int vlan 20
description new dot1x_users
ip a..."int vlan 20<br />description new dot1x_users<br />ip address 172.120.10.1 255.255.255.0<br />no shut"<br /><br />The requirement clearly states "Corporate polices do not allow layer 3 functionality to be enabled on the switches." So, no layer 3 means no IPs for VLANs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-59835202457411482182015-08-11T19:40:32.680+05:002015-08-11T19:40:32.680+05:00is it possible that the command "dot1x port-c...is it possible that the command "dot1x port-control auto" under the fastEthernet interface is no longer valid? maybe it should be "authentication port-control auto" and "dot1x pae authenticator"?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-55082566864702141642015-08-10T08:40:34.736+05:002015-08-10T08:40:34.736+05:00is vlan 20 added to the trunk port? I'm taking...is vlan 20 added to the trunk port? I'm taking the test Thursday, and I would assume they may be deducting points for not having the vlans defined and active both upstream and downstream.<br /><br />configure radius access<br />vlan 20 - 172.120.10.0/24<br />access-list dropping non 172.120.10.0/24<br />radius server 172.189.29.100 key ciscoradius<br /><br /><br />aws1 - <br /><br />conf t<br />aaa new model<br />radius-server host 172.189.29.100 key ciscoradius<br />!<br />vlan 20<br />name dot1x_test<br />!<br />dot1x system-auth-control<br />!<br />int vlan 20<br />description new dot1x_users<br />ip address 172.120.10.1 255.255.255.0<br />no shut<br />!<br />int range f0/1-3<br />switchport mode access<br />switchport access vlan 20<br />spanning-tree portfast<br />spanning-tree bdpuguard enable<br />do1x port-control auto<br />!<br />int range f0/4-9<br />spanning-tree portfast<br />shut<br />int range f0/11-24<br />spanning-tree portfast<br />shut<br />!<br />int f/10<br />switchport trunk encapsulation dot1q<br />switchport mode trunk<br />switchport trunk allowed vlan 20<br />!<br /><br />dws1 - <br />conf t<br />!<br />vlan 20<br />name dot1x_test<br />!<br />int g1/0/1<br />switchport trunk encapsulation dot1q<br />switchport mode trunk<br />switchport trunk allowed vlan 20<br />!<br />ip access-list standard 10<br />permit 172.120.10.0 0.0.0.255<br />exit<br />!<br />vlan access-map MYMAPIP 10<br />match ip address 10<br />action forward<br />!<br />vlan access-map MYMAPIP 20<br />action drop<br />!<br />vlan filter MYMAPIP vlan-list 20<br /><br />==============<br />hopefully this is correct. I'll take it to my lab tonight to verify. I just pieced that together in notepad while testing1nSignificanthttps://www.blogger.com/profile/18113974825113673095noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-44100418262408933542015-08-09T09:05:32.977+05:002015-08-09T09:05:32.977+05:00On the 300-115 exam, it seems that something more ...On the 300-115 exam, it seems that something more is needed to get this solutions correct. I know this lab cold, yet I have taken the exam twice, and failed due to this question. Has anyone else had this problem?<br /><br />Thanks. Anonymoushttps://www.blogger.com/profile/17725053082198737003noreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-31216516542295984392015-07-23T03:20:08.586+05:002015-07-23T03:20:08.586+05:00where you have downloadedwhere you have downloadedAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-66363656333702496642015-07-13T15:46:50.227+05:002015-07-13T15:46:50.227+05:00Good oneGood oneAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-36293217959918803852015-06-01T22:18:25.749+05:002015-06-01T22:18:25.749+05:00Great article man but i dont think VACL works in g...Great article man but i dont think VACL works in gns3, i've tried the 3600/3700 series with NM-16ESW module but only radius server cmd is there.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-56394693922735894242015-01-22T21:51:48.441+05:002015-01-22T21:51:48.441+05:00Technically, you don't need to set an action d...Technically, you don't need to set an action drop, because it will implicitly deny anything that isn't permitted. However, it is good practice to just add an additional action of drop. Also, the exam may deduct points off of your simulation if you don't have that extra step, so it's best to be on the safe side. :-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-31647348462773465862014-09-22T23:21:56.253+05:002014-09-22T23:21:56.253+05:00Do you actually need the action drop addition to t...Do you actually need the action drop addition to the access-map? My understanding is that VACLs have an implicit deny (drop) that will drop anything which is not expressly forwarded.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5582579710677652457.post-43936432363043430632014-09-10T16:20:53.392+05:002014-09-10T16:20:53.392+05:00when I took the test this lab was bugged. it would...when I took the test this lab was bugged. it wouldn't let me remove the access-map that I had put in there wrongly.Anonymousnoreply@blogger.com