HowTo configure 802.1x wired, mac authentcation bypass and guest vlan on Cisco 2960 switch and Windows radius


We want to configure 802.1x on all access ports, if users authenticates successful radius assigns vlan 24, if we connect printer with MAC address in AD group printers, gets assigned vlan 450. And if the authentication fails or timeouts users get authorized in guest vlan 999.


Windows server configuration:

Create OU printer, add printer group, create user with mac address of printer example: 00:11:22:33:44:55 and it needs to have the same password. Than we configure Network Policy Server, with switch at radius client, two network policies, one for mac authentication bypass and one for 802.1x authentication for users. More detailed info in video.


Cisco configuration:

First we configure radius server “Server1!:

Than we create aaa group:

And enable aaa authentication dot1x default group RadiusGroup: which mean that users will be authenticated through radius server is group RadiusGroup
aaa authorization network default group RadiusGroup:  users will receive vlan parameters based on windows server NPS.

At the end we configure access port – this is basic 802.1x access port configuration :

Switchport mode access, switchport nonegotiate, spanning-tree portfas: basic access port configuration
We could add for security reasons:

no cdp enable
storm-control broadcast level 10.00
storm-control unicast level 10.00
storm-control multicast level 10.00
storm-control action shutdown
spanning-tree bpduguard enable

authentication event fail action authorize vlan 999 => if the device failes to authenticate via 802.1x assign vlan 999
authentication event fail no-response action authorize vlan 99 => if the device doesnt send or reply to 802.1x requests
authentication order mad dot1x => authentication order, mab is firts that printers etc dont timeout DHCP server
authentication port-control auto => set auto authentication 802.1x on port, could be forced authorized or unauthorized
mab => enable mac authentication bypass on port
dot1x pae authenticatior =>  switch gets username and password from client
dot1x timeout tx-period 2 => timeout period for 802.1x, needs to be low that clients doesnt timeout, and assigned self-assigned IP instead asking for DHCP
dot1x max-reauth-req 1 => max reauthentication request is 1



Comments are closed