So I have a bunch new 2360 that are going to replace old ciscos in some agencies.
I'd like to setup radius authentication. The first goal was to block the port upon failure which seems to work, but the end goal would be to put the port in a guest vlan if it fails.
So far my config is the following (and I'd appreciate someone double checking this if possible) - thats for goal 1:
Code: Select all
-> show configuration snapshot
! Chassis:
system name "OS2360"
! Configuration:
configuration error-file-limit 2
! VLAN:
vlan 1 admin-state enable
vlan 1 name "DATA"
vlan 999 admin-state enable
vlan 999 name "BADUSER"
! Spanning Tree:
spantree mode flat
spantree vlan 1 admin-state enable
spantree vlan 999 admin-state enable
! DA-UNP:
unp profile "radius"
unp profile "unp-DATA"
unp profile "unp-BADUSER"
unp profile "unp-DATA" map vlan 1
unp profile "unp-BADUSER" map vlan 999
unp port-template port-tl-radius redirect-port-bounce direction in aaa-profile "aaa-prof-radius" default-profile "unp-DATA" classification ap-mode admin-state enable
unp port-template port-tl-radius 802.1x-authentication
unp port 1/1/1-3 port-type bridge
unp port 1/1/1-3 port-template port-tl-radius
! AAA:
aaa radius-server "NPS" host x.x.x.x hash-key "xxxxxxxxxxxxxx" hash-salt "xxxxxxxxxxxxxxx" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default
aaa authentication console "local"
aaa authentication http "local"
aaa authentication ssh "local"
aaa device-authentication 802.1x "NPS"
aaa profile "aaa-prof-radius"
aaa profile "aaa-prof-radius" device-authentication 802.1x "NPS"
aaa profile "aaa-prof-radius" 802.1x re-authentication interval 7200
