Good Morning Everyone,
I am a newly hired sys admin for a small company. Currently we have 802.1x authentication on all switch ports but it does not work because our Cisco ACS unit has failed and it was doing the RADIUS authentication. I have not dealt with 802.1x before so I have been doing my research as to the best method of temporarily removing 802.1x from all network ports until I have a NAP server ready to authenticate requests with.
Below I have included a snippet of my current running-config with explanations of what each of the 802.1x command does which are in bold. I would like to make as few of changes to the current configuration as possible until I become more familiar with the network topology.
QUESTION 1: I am thinking if I change "aaa authentication dot1x default radius" to "aaa authentication dot1x default none" or "no aaa accounting dot1x default" there will be no authentication and users will simply connect. I found the following explaination below
"Use the no variant of this command to disable AAA accounting for 802.1x-based Port Authentication globally."
QUESTION 2: Every interface has the below commands for guest-vlan and unauth-vlan. Do I need to remove these configurations as well?
dot1x guest-vlan 80
dot1x unauth-vlan 80
QUESTION 3: If my solution isnt going to work what would be the prescribed method to move forward?
[Running-Config - Truncated]
RIVET-IDF-4B#show running-config
aaa authentication login "radiuslist" radius none (aaa list of radius servers for login)
dot1x system-auth-control (globally enables 802.1x)
aaa authentication dot1x default radius (enables default auth to aaa radius server)
aaa authorization network default radius (enables switch to accept VLAN assignment by radius server)
radius-server attribute 4 10.10.80.3 (no clue)
radius-server source-ip 10.10.80.3 (source ip for radius server to use)
radius-server host auth 10.10.3.10 (specified radius server)
primary
name "radius"
key "PASSWORD" (radius server shared key)
exit
VLAN Database Configuration
interface vlan 80
name "Users"
routing
ip address 10.10.80.3 255.255.252.0
exit
interface vlan 200
name "Guest Internet Access Only"
routing
ip address 192.168.200.3 255.255.255.0
ip access-group Wifi in 1
exit
Port Configuration
interface ethernet 1/g1
spanning-tree portfast
dot1x guest-vlan 80
dot1x unauth-vlan 80
exit
!
interface ethernet 1/g2
spanning-tree portfast
dot1x guest-vlan 80 (guest VLAN, access if auth fails)
dot1x unauth-vlan 80 (guest VLAN, access if auth fails)
dot1x port-control force-authorized (Force authentication on ports)
Any help, tips or suggestions are absolutely welcome.
Antony 303