Saturday 24 December 2011

AAAdot1x Lab

Acme is a small shipping company that has an existing enterprise network comprised of 2
switches;DSW1 and
ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be
used to provide the shipping personnel access to the server. For security reasons, it is necessary
to restrict access to
VLAN 20 in the following manner:
- Users connecting to ASW1's port must be authenticate before they are given access to the
network.
-Authentication is to be done via a Radius server:
- Radius server host: 172.120.39.46
- Radius key: rad123
- Authentication should be implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
- Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
- Packets from devices in any other address range should be dropped on VLAN 20.
- Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.














Explanation:
The configuration:
Step1: Console to ASW1 from PC console 1
ASW1( config)#aaa new-model
ASW1( config)#radius-server host 172.120.39.46 key rad123
ASW1( config)#aaa authentication dot1x default group radius
ASW1( config)#dot1x system-auth-control
ASW1( config)#inter fastEthernet 0/1
ASW1( config-if)#swithcport mode access
ASW1( config-if)#dot1x port-control auto
ASW1( config-if)#exit
ASW1#copy run start

Step2: Console to DSW1 from PC console 2
DSW1( config)#ip access-list standard 10
DSW1( config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1( config-ext-nacl)#exit
DSW1( config)#vlan access-map PASS 10
DSW1( config-access-map)#match ip address 10
DSW1( config-access-map)#action forward
DSW1( config-access-map)#exit
DSW1( config)#vlan access-map PASS 20
DSW1( config-access-map)#action drop
DSW1( config-access-map)#exit
DSW1( config)#vlan filter PASS vlan-list 20
DSW1#copy run start
Posted by at

4 comments:

  1. Unknown19 March 2017 at 03:41

    Hi how you doing?
    I was searching for that and i found your blog which provide the solution of that problem in a simple way. i am working on Knowledge Games so that i can also help different peoples to give knowledge by games.

    ReplyDelete
  2. steven8 April 2017 at 09:58

    Hello Sohel,
    Thanks for providing that information. You just provide the answer in just simple way, I like your way of communication.
    best seo services

    ReplyDelete
  3. Ravi2725 April 2017 at 22:42

    I read the different articles which you have on your blog and i really the theme of your blog which is simple and easy to understand. Your way of explaining the things is just awesome.
    123movies

    ReplyDelete
  4. Olivia5 January 2018 at 04:18

    The Radius server and utility servers might be installed at a future date. watch online movies
    You've got been tasked with imposing the above entry manipulate as a pre-situation to installing the servers. You must use the on hand IOS swap aspects.

    ReplyDelete

Subscribe to: Post Comments (Atom)