Home > AAAdot1x Lab Sim

AAAdot1x Lab Sim

March 3rd, 2017 in Lab Sim, LabSim Go to comments

Question

Answer and Explanation

 

1) Configure ASW1

Enable AAA on the switch:
ASW1(config)#
aaa new-model

The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.

Define the server along with its secret shared password:
ASW1(config)#radius-server host 172.120.39.46 key rad123

ASW1(config)#aaa authentication dot1x default group radius
This command causes the RADIUS server defined on the switch to be used for 802.1x authentication.

Globally enable port-based authentication (802.1x) on a switch:
ASW1(config)#dot1x system-auth-control

Configure Fa0/1 to use 802.1x:

ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.

2) Configure DSW1:

Define an access-list:
DSW1(config)#ip access-list standard 10 (syntax: ip access-list {standard | extended} acl-name)
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYACCMAP 10 (syntax: vlan access-map map_name [0-65535] )
DSW1(config-access-map)#match ip address 10 (syntax: match ip address {acl_number | acl_name})
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit

DSW1(config)#vlan access-map MYACCMAP 20
DSW1(config-access-map)#action drop (drop other networks)
DSW1(config-access-map)#exit

Apply a vlan-map into a vlan:
DSW1(config)#vlan filter MYACCMAP vlan-list 20 (syntax: vlan filter mapname vlan-list list)

DSW1#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

Note: If the requirement of this sim states that “not to use named ACLs” then you should configure number ACL instead:

DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255

Other lab-sims in this site:

LACP with STP Sim
MLS and EIGRP Sim
VTP Lab 2
VTP Lab
Spanning Tree Lab Sim

Comments
Comment pages
1 39 40 41 41
  1. om
    November 9th, 2017

    hi,where can i get lab for vtpv3 and aadot1x

  2. Forgotsomethingdidwe
    November 11th, 2017

    You should really make sure Fa0/1 is configured correctly. Perform a sh run int fa0/1

    for are going to need to do the following:

    conf t
    int fa0/1
    switchport mode access
    switchport access vlan 20
    dot1x port-control auto
    no shut
    end
    copy run start

    Then move on to DSW1

  3. Ron
    November 13th, 2017

    Has anyone actualy seen this sim on the test? The blueprint for 300-115 doesn’t even list dot1x.

  4. Anonymous
    November 14th, 2017

    not to use named ACLs
    DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255
    DSW1(config)#int vlan 20
    DSW1(config-if)#ip access-group 10 in
    DSW1# copy running-config startup-config

  5. san2427
    November 14th, 2017

    Please share CCNP switching dump email id: san242721 @ gmail dot com

  6. Anonymous
    November 15th, 2017

    Please share CCNP switching dump email id:{email not allowed}

  7. Anonymous
    November 15th, 2017

    Please share CCNP switching dump email id:aaa692004@gmail dot com

  8. ema
    November 15th, 2017

    please I need latest CCNP Switching Dump, I have an exam next weak. email id: {email not allowed}

  9. ema
    November 15th, 2017

    please I need latest CCNP Switching Dump, I have an exam next weak. email id: abdelmonaim emara93@gmail com

  10. mills
    November 20th, 2017

    hello everyone.

    passed on friday. $12 well spent, certpreapre is 100% valid.

    sims: AAAdot1x, lacp and stp, vtp v3.

    https://drive.google.com/drive/folders/18a_pjr8rXD9bGfhwLJjdumh4kn31j_CV?usp=sharing

    all certprepare dumps are in the link above. if you have any question about the exam reach me on mbomat at yahooooooooooooooo dot com.

    see you on the tshoot side of life.

  11. mills
    November 20th, 2017

    finally, the link above wont be there for ever. i do not intend to hurt the feelings of certprepare.

  12. Shayan
    November 22nd, 2017

    Can anyone give me sim of AAA LAB ?

  13. Netmenator
    November 23rd, 2017

    can someone explain the difference between the above answer and the “NUMBERED ACL question” as i can see no difference !!!

  14. Sal
    November 23rd, 2017

    According to the CCNP portable command guide, there is an explicit deny at the end of the map:

    “NOTE:
    VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type.”

    Probably the following is not required:

    DSW1(config)#vlan access-map MYACCMAP 20
    DSW1(config-access-map)#action drop (drop other networks)
    DSW1(config-access-map)#exit”

  15. Filipino Oink
    November 24th, 2017

    Hi All,

    Is this LAB is fill in the Blanks??

  16. Mrki
    November 25th, 2017

    Way? ASW1(config)#radius-server host 172.120.39.46 key rad123
    =
    Should be? ASW1(config)#radius-server host 172.120.40.46 key rad123
    =

  17. Anonymous
    November 25th, 2017

    i had this in my exam last week. I failed the test, partly because i did not know this. I did not expect this either. i only took my exam 5 – 8 days ago, so YES this is on the exam

  18. Anonymous
    November 25th, 2017

    this lab is NOT fill in the blank

  19. Steadystate
    November 26th, 2017

    Yes this is on the test. I accidentally used extended ACL but can see standard is sufficient.

  20. Sal
    November 27th, 2017

    Can we use standard (and not extended) ACL for this sim? I see a lot of when to use one or the other. Wouldn’t be just use standard for either case? Or does the test tell you what to use?

  21. Dodger
    November 27th, 2017

    @Sal is correct, sequence 20 of the VACL is not needed as there is an implicit drop at the end of an VACL per the guidelines:

    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.pdf

  22. Myth
    November 27th, 2017

    Thank you so much mills

  23. Sal
    November 28th, 2017

    @Dodger. Thanks for the link.
    Looks like it could be used for logging as well. See page 5 of the link you provided:

    Router(config)# vlan access-map ganymede 10
    Router(config-access-map)# match ip address net_10
    Router(config-access-map)# action drop log

  24. Lime
    November 28th, 2017

    @ Dodger, thanks for the link. I believe that the command “action drop” is not necessary due to implicit deny but for the sake of the exam, I think they must include it.

    @ Sal, thanks for the info. I appreciate it a lot!

  25. Not-A-Fool
    November 28th, 2017

    “radius-server host ” doen’t work in a real router (In 2016, Cisco said that it would be deprecated soon). What version of the IOS is used in the Cisco tests sims?

  26. Not-A-Fool
    November 28th, 2017

    !! NEW COMMAND\ !!
    radius server A-NAME-FOR-THE-SERVER
    address ipv4 172.120.39.46 auth-port 1812 acct-port 1812
    key rad123

    https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html

  27. Sal
    November 30th, 2017

    The radius-server host command works on my 3560 and 2960. This is the command to be used on the test.

  28. Pipo
    November 30th, 2017

    Can anyone confirm this is the right configuration;
    ASW1(config)#aaa new-model
    ASW1(config)#radius-server host 172.120.40.46 key rad123
    ASW1(config)#aaa authentication dot1x default group radius
    ASW1(config)#dot1x system-auth-control
    ASW1(config)#interface fastEthernet 0/1
    ASW1(config-if)#dot1x port-control auto

    DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255
    DSW1(config)#int vlan 20
    DSW1(config-if)#ip access-group 10 in
    DSW1# copy running-config startup-config

  29. Rizwan
    December 1st, 2017

    Regarding this part
    Note: If the requirement of this sim states that “not to use named ACLs” then you should configure number ACL instead:

    DSW1(config)#access-list 10 permit 172.120.40.0 0.0.0.255

    please guide me that only this command is different or there are changes in mapping acl also? because i failed exam and same thing was mentioned that not to use named acl

    please guide

  30. Fundi
    December 1st, 2017

    Do you know if it can be used the “tab” or “?” in the exam?

  31. Fundi
    December 1st, 2017

    The question above is about the LABS

  32. Not-A-Fool
    December 4th, 2017

    Thanks, Sal!

  33. help
    December 4th, 2017

    can someone explain to me how the VACL works on DSW1 when its a layer3 “router” and doesnt have the vlans configured on it?

  34. addie
    December 9th, 2017

    anybody can tell me how to study this lab, i have exam on 12th this month
    thanks

Comment pages
1 39 40 41 41
  1. No trackbacks yet.