Home > AAAdot1x Lab Sim

AAAdot1x Lab Sim

October 3rd, 2018 Go to comments

Question

Answer and Explanation

1) Configure ASW1

Enable AAA on the switch:
ASW1(config)#aaa new-model

The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.

Define the server along with its secret shared password:
ASW1(config)#radius-server host 172.120.39.46 key rad123

ASW1(config)#aaa authentication dot1x default group radius
This command causes the RADIUS server defined on the switch to be used for 802.1x authentication.

Globally enable port-based authentication (802.1x) on a switch:
ASW1(config)#dot1x system-auth-control

Configure Fa0/1 to use 802.1x:

ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.

2) Configure DSW1:

Define an access-list:
DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )
DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit

DSW1(config)#vlan access-map MYACCMAP 20
DSW1(config-access-map)#action drop (drop other networks)
DSW1(config-access-map)#exit

Note: In fact, there is an implicit “deny all” command at the end of each VLAN access-map so we don’t need to deny other networks. Therefore there is no problem if you don’t enter the “vlan access-map MYACCMAP 20” above.

Apply a vlan-map into a vlan:
DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)

DSW1#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

Note: If the requirement of this sim states that “not to use named ACLs” then instead of using the following commands:
DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

We only need to use one command to configure number ACL:

DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255

The “172.120.39.46/24” is the range of RADIUS servers for authentication and it does not need to be in the same range of host devices (surely DSW1 must have a route to RADIUS servers 172.120.39.46/24).

Other lab-sims in this site:

LACP with STP Sim
MLS and EIGRP Sim
VTP Lab 2
VTP Lab
Spanning Tree Lab Sim

Comments
  1. Anonymous
    January 14th, 2020

    Thank u guys i Just Past the CCNP 300-115

  2. Shak
    January 27th, 2020

    Hi Anonymous,
    Congratulations. Could you plz let me know that which dump you have studied for the CCNp 300-115. Is it possible then to email me that dump. Thanks in advance …
    shakil_euroatyahoo.com

  3. Anonymous
    January 28th, 2020

    Hi, Can anyone please send me the dumps for 300-115 at waqa1975@gmail dot com. Regards

  4. Paco
    February 18th, 2020

    Does this sim continue appearing in the examn?

  1. No trackbacks yet.