Wassim

In this blog post I’m going to describe the configuration commands needed to configure dot1x authentication, as well as the home lab I built to test the basic functionalities of 802.1X port-based authentication with Cisco switches and Cisco ISE. 802.1x Authentication Configuration on Cisco Switches Here is the Cisco switch 802.1x configuration that worked for me in my home lab. Line 131: activates AAA lines 134 – 135: defining the Radius server group Lines 164 – 166: defining the Radius server and the secret key. Line 137: enables AAA dot1x authentication using the default method list, and using the Radius server group defined above. Lines 142 – 150: this is the interface connected to the 802.1x supplicant. I put a generic access-list (default_acl) as a default ACL, in case the dACL feature does not work. 802.1x Port-based authentication Home lab topology Home lab constructs EVE-NG IOS images one router, the image version does not matter one switch with IOS ...

In this article we’ll explore the configuration of Cisco ISE as an internal Radius server. Setting Device Groups Configuring the network device (the Radius client) Setting internal users Preparing the Authentication policy Setting a compound authorization policy Setting the Allowed Protocols Setting the downloadable ACL Setting Authorization Profiles Setting the Policy Set Setting Device Groups Go to Administration -> Network Resources -> Network Device Groups   Configuring the network device Setting internal users “Employee” is a pre-defined user group. Preparing the Authentication policy We’ll use the pre-built Wired_802.1X authentication policy which is enough for what we are going to do. Setting a compound authorization policy When a Radius client is authenticated, the authorization process is evaluated. Our authorization policy will be compound. Here is a sample one. I did not use the default Wired_802.1x authorization policy because I w...

In this lab we are going to configure a clientless SSL VPN using Cisco ASA firewall. The topology layed out here is based on the suggested lab in the official Cisco training IINS. We are going to build a clientless SSL VPN between Internet-PC and Site1 resources. We’ll configure the whole thing using the Clientless SSL VPN wizard on ASA. First, from the ASDM software go to Wizards -> VPN Wizards -> Clientless SSL VPN Wizard . The SSL VPN Wizard launches. Click Next: Give a name to your Connection Profile: Under SSL VPN Interface , choose the interface “outside”: Leave the field Certificate to “None”. Notice that there is the possibility to use a self signed certificate. But I am not going to demonstrate it here. Give an alias to your Connection Group then click Next: At this point we must define some credentials. These are the ones ASA is going to check the inbound connection request against. Similar to the authentication we configured in the past...

These methods are not guaranteed to emulate 100% of the switching functions. However, they provide more than 90% of the switching features most network engineers need for CCNA/CCNP preparation. There are many options: GNS3 routers with NM-ESW16 modules GNS3 with Virtual IOS Layer 2 GNS3 with IOU L2 images Unified Networking Lab First, read this post to add IOS images. GNS3 routers with NM-ESW16 modules A router can be equipped with a NM-ESW16 module to fulfill the functions of an EtherSwitch Module. This module provides many layer 2 switch functionnalities. The only type of routers that supports the NM-16ESW EtherSwitch module and is also supported by GNS3 is the Cisco 3725 router.  GNS3 with Virtual IOS Layer 2 Nathan Ash has written a clear tutorial for this. For the RAM value, choose something that’s higher than 380 MB then click Next . One thing to mention though. Make sure to choose the right version of Qemu binary when you add the vIOS-L2 image. I have a Windows 7 64 bits a...