top of page

NOTE Don’t root this as root.

Step 4. Dot1x Client configuration.

Wpa_supplicant.conf doesn’t exist so we must create it. Enter root mode:

  sudo su

  vi /etc/wpa_supplicant.conf

 

NOTE Use vi editor to add the following commands (press Insert buttom to fill this file):

    ctrl_interface=/var/run/wpa_supplicant

    ap_scan=0

    network={

    key_mgmt=IEEE8021X

    eap=MD5

    identity=”juanma”

    password=”juanma”

    eapol_flags=0

    }

Task 3. Configuring NO_DOT1X

hostname NO_DOT1X

no ip routing

!

int fa0/0

speed 100

duplex full

ip address dhcp

no shut

 

Once NO_DOT1X has obtained an IP address, we can test WinRadius authentication:

NO_DOT1X#telnet 192.168.1.10

Trying 192.168.1.10 ... Open

User Access Verification

Username: juanma

Password: <juanma>

AUTHENTICATOR>

Task 4. Configuring the host (Linux Microcore Configuration)

Links: http://brezular.com/2010/12/18/ccnp-switch-and-gns3-part-2-2-freeradius-and-wpa-supplicant-installation-and-configuration/

NOTE Say thanks to Brezular for his fantastic work.

 

This is the most difficult task. You should be familiarized with some basic linux commands.

Step 1. Start Microcore Linux on GNS3.
Step 2. Configure the interface.

Really, this step should be the last one, but we need Internet connection on HOST to run 802.1x-compliant system software, the first time.

Enter root mode (Administrator): sudo su

DHCP activation: udhcpc

To know what IP is assigned to eth0 interface: ifconfig eth0

We can test the Internet connection with: ping 8.8.8.8

Step 3. Install wpa_supplicant extension to Microcore.

    tce-load -iw wpa_supplicant.tcz

We need Internet connection do download the wpa_supplicant.tcz file from the Internet (distro.ibiblio.org).

After this:

Save this file with: ESC + :wq + INTRO

This configuration works for EAP-MD5 authentication.   Before the switch allows dot1x client (Microcore) access to the network client needs to be authenticated with username juanma and password juanma on Radius (remember the aaa authentication dot1x default group radius local command).

Finally, you can use RadiusTest (RadiusTest.exe) to test your WinRadius. Please recheck the Radius IP, port and username, password, NAS Secret. A correct message would be:

Step 2. Enabling WinRadius.

Download WinRadius. WinRadius standard version is free of charge. You can create up to five users.

WinRadius is a standard RADIUS server for network authentication, accounting. It's easy to use, and can be used for telecommunication accounting platform, PPP authentication, accounting server. It support PPP, PPPoE, PPTP, VPN, VoIP, ADSL, Cable Modem, CDMA, GSM, GPRS, WLAN(802.1x), etc.

  • Launch WinRadius.

  • Click "Configure ODBC automatically" button at "Settings/Database...".

  • RestartWinRadius. Now, all settings of WinRadius are OK.

  • Add some users toWinRadius by clicking "+" toolbar button. Let’s create one user: juanma/juanma

  • Configure your NAS to WinRadius (“Settings/System”) and Restart WinRadius (Close/Open).

  • Open Network Connections. Right-click the connection that you want to enable 802.1X authentication for, and then click Properties. Click the Authentication tab, and then select the Enable IEEE 802.1X authentication check box. In the Choose a network authentication method list, select MD5 Digest Authentication.

As you can see, this is a simple GNS3 lab.

  • IOS = c3725-adventerprisek9-mz.124-15.T5.bin (for Authenticator and NO_DOT1X).

  • Server = It’s the Authentication Server (Emulation of my PC through a cloud), using a real network card. WinRadius installed and 802.1x authentication.

  • NO_DOT1X = emulation of a PC through a Cisco Router.

  • HOST = It’s the supplicant: Qemu host using linux-microcore-2.11.5.img with dot1x client.

  • Authenticator = EtherSwitch Router.

Task 1. Configuring the authenticator

NOTE This device also acts as a DHCP server.

 

hostname AUTHENTICATOR

!

enable secret cisco

username juantron privilege 15 secret juantron

8021.X CONFIGURATION

aaa new-model

aaa authentication dot1x default group radius local

dot1x system-auth-control

radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key juanma

!FOR LOGIN PURPOSES

aaa authentication login default group radius local

DHCP SERVER CONFIGURATION

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp pool JUANTRON

  network 192.168.1.0 255.255.255.0

  default-router 192.168.1.10

Enable 802.1X on access ports

interface FastEthernet1/0

switchport mode access

dot1x port-control force-authorized

!

interface FastEthernet1/1

switchport mode access

dot1x port-control auto

spanning-tree portfast

!

interface FastEthernet1/2

switchport mode access

dot1x port-control force-authorized

spanning-tree portfast

!

interface Vlan1

ip address 192.168.1.10 255.255.255.0

no shut

!

end

 

Note default keyword is used, so you don’t need to configure telnet access for login purposes.

Task 2. Configuring the Authentication Server

Links: http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

Step1. Configuring 802.1X authentication on a PC running Windows XP.

NOTE This works only with real netword cards (Do not use loopback interfaces!).

To complete this procedure, first you must enable the Wired AutoConfig service, which is turned off by default.

  • Click the Start button. In the search box, type services.msc, and then press Enter.

  • In the Services dialog box, click the Standard tab at the bottom of main pane, right-click Wired AutoConfig, and then click Start. In my case:

PART I: Using Windows XP as the Authentication Server (with WinRadius and 802.1x authentication)

 
Topology
bottom of page