200-301

Study mode — explanations shown

1
Performance-based question

Network Services and Security

hard

You are connected to R1. Configure AAA with a RADIUS server at 10.0.0.2/30 (key 'cisco123') so that console and VTY login use RADIUS first, then local authentication. Additionally, troubleshoot why an 802.1X-enabled switch port (GigabitEthernet0/1) on R1 is stuck in the unauthorized state. The RADIUS server is reachable but authentication fails. Verify using 'show aaa servers' and 'show dot1x interface GigabitEthernet0/1 details'.

Exhibit

R1# show running-config | section aaa
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
!
radius server RADIUS
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
R1# show aaa servers
RADIUS: id 1, priority 1, host 10.0.0.2, auth-port 1812, acct-port 1813
 State: current UP, duration 120s, previous duration 0s
 Dead: total time 0s, count 0
R1# show dot1x interface GigabitEthernet0/1 details
Dot1x Info for GigabitEthernet0/1
-------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = UNAUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
AuthMethod                = Open
Critical                  = no
Critical Recovery         = no
Guest VLAN                = no
Host Mode                 = Single
Auth-Fail VLAN            = no
Vlan Group                = no
Capability                = n/a
Client Status             = not authenticated
Client Mac                = 0000.0000.0000
Client IP                 = 0.0.0.0
Client Username           = unknown
Client Auth Protocol      = unknown
Client VLAN               = 0
Client Session ID         = 0
Network Topology
G0/010.0.0.1/30R1RADIUS
R1# show running-config | section aaa
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
!
radius server RADIUS
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key cisco123
!
interface GigabitEthernet0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
!
R1# show aaa servers
RADIUS: id 1, priority 1, host 10.0.0.2, auth-port 1812, acct-port 1813
 State: current UP, duration 120s, previous duration 0s
 Dead: total time 0s, count 0
R1# show dot1x interface GigabitEthernet0/1 details
Dot1x Info for GigabitEthernet0/1
-------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
PortStatus                = UNAUTHORIZED
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
AuthMethod                = Open
Critical                  = no
Critical Recovery         = no
Guest VLAN                = no
Host Mode                 = Single
Auth-Fail VLAN            = no
Vlan Group                = no
Capability                = n/a
Client Status             = not authenticated
Client Mac                = 0000.0000.0000
Client IP                 = 0.0.0.0
Client Username           = unknown
Client Auth Protocol      = unknown
Client VLAN               = 0
Client Session ID         = 0
R1#
Cisco IOS Software, Version 15.2(4)M1
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Press RETURN to get started.
R1#
0 of 90 answered