고정 헤더 영역
상세 컨텐츠
본문
The last part is to configure all windows clients to send 802.1x auth data to the cable network. I’ve done this via a global group policy. You can find the settings under Computer Configuration / Policies / Windows Settings / Security Settings / Wired Network (IEEE 802.3) Policies.
- Aruba ClearPass 802.1X Wired with MAC-AUTH - Part1. Aruba ClearPass Workshop - Wired #1 - Wired 802.1X with ArubaOS switch - Duration. How To Configure Mac Authentication with Aruba Iap.
- 802.1x is for authenticating MACHINES without depending on changable MAC addresses. Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).
Huawei Global -. AFRICA. South Africa-. Morocco- LATIN AMERICA.
Brazil -. Mexico - MIDDLE EAST. Saudi Arabia -,. United Arab Emirates -.
ASIA PACIFIC. Australia -. China -. Hong Kong, China -. India -.
Japan -. Korea -. Kazakstan -. Malaysia -. New Zealand -. Philippines -.
Singapore -. Indonesia-.
Thailand -. Turkey - NORTH AMERICA. Canada-. United States -.
EUROPE. Austria -. Belgium -,.
France -. Germany -.
Italy -. Poland -. Sweden-. Russia -. Spain -. Switzerland -. United Kingdom.
802.1X Authentication Overview 802.1X is a port-based network access control protocol and 802.1X authentication is one of NAC authentication modes. 802.1X authentication ensures security of enterprise intranets. 802.1X authentication ensures high security; however, it requires that 802.1X client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication modes have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security. As a result, 802.1X authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.
Configuration Notes. The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.
Currently, the device supports CHAP, PAP, EAP-PEAP, EAP-FAST, EAP-TLS, and EAP-MD5 authentication modes for 802.1X clients. The RADIUS authentication and accounting shared keys on the switch must be the same as those on the ISE. By default, the switch allows the packets from RADIUS server to pass. You do not need to configure authentication-free rules for the server on the switch. This example applies to all of the S series switches. Networking Requirements Enterprises have high requirements on network security. To prevent unauthorized access and protect information security, an enterprise requests users to pass identity authentication and security check before they access the enterprise network.
Only authorized users are allowed to access the enterprise network. To reduce network reconstruction investment, you are advised to configure the 802.1X authentication function on the aggregation switch and connect a single centralized authentication server to the aggregation switch in bypass mode. System-view HUAWEI sysname SwitchA SwitchA vlan batch 100 200 SwitchA interface gigabitethernet 0/0/1 //Configure the interface connected to SwitchC. SwitchA-GigabitEthernet 0/0/1 port link-type trunk SwitchA-GigabitEthernet 0/0/1 port trunk allow-pass vlan 200 SwitchA-GigabitEthernet 0/0/1 quit SwitchA interface gigabitethernet 0/0/2 //Configure the interface connected to SwitchD. SwitchA-GigabitEthernet 0/0/2 port link-type trunk SwitchA-GigabitEthernet 0/0/2 port trunk allow-pass vlan 200 SwitchA-GigabitEthernet 0/0/2 quit SwitchA interface gigabitethernet 0/0/6 //Configure the interface connected to the server. SwitchA-GigabitEthernet 0/0/6 port link-type trunk SwitchA-GigabitEthernet 0/0/6 port trunk allow-pass vlan 100 SwitchA-GigabitEthernet 0/0/6 quit SwitchA interface vlanif 100 SwitchA-Vlanif100 ip address 192.168.10.10 24 //Configure the management IP address for SwitchA. This IP address is used when SwitchA is added to ISE.
SwitchA-Vlanif100 quit SwitchA interface vlanif 200 SwitchA-Vlanif200 ip address 192.168.200.1 24 //Configure the gateway address for terminal users. SwitchA-Vlanif200 quit SwitchA ip route-static 192.168.100.0 255.255.255.0 192.168.10.11 //Configure a route to the network segment where the pre-authentication domain resides. Imaging the next hop address is 192.168.10.11. SwitchA ip route-static 192.168.102.0 255.255.255.0 192.168.10.11 //Configure a route to the network segment where the post-authentication domain resides. Imaging the next hop address is 192.168.10.11. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain. # Enable 802.1X authentication on GE 0/0/1 and GE 0/0/2.
SwitchA interface gigabitethernet 0/0/1 SwitchA-Gigabitethernet 0/0/1 authentication dot1x //Configure 802.1X authentication. SwitchA-Gigabitethernet 0/0/1 quit SwitchA interface gigabitethernet 0/0/2 SwitchA-Gigabitethernet 0/0/2 authentication dot1x //Configure 802.1X authentication. SwitchA-Gigabitethernet 0/0/2 quit. Configure ACL 3002 for the post-authentication domain. SwitchA acl 3002 SwitchA-acl-adv-3002 description 3002.in //After the Filter-ID is selected on the ISE, the authorization ACL automatically carries the suffix.in. You must set the ACL description to xxx.in on the switch.
SwitchA-acl-adv-3002 rule 1 permit ip destination 192.168.102.100 0 SwitchA-acl-adv-3002 rule 2 deny ip destination any SwitchA-acl-adv-3002 quit. Configure the access switches.
Create VLANs and configure the VLANs allowed by interfaces so that packets can be forwarded. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC. # Configure the interface connected to users as an access interface and add the interface to VLAN 200.
SwitchC interface gigabitethernet 0/0/1 SwitchC-GigabitEthernet0/0/1 port link-type access SwitchC-GigabitEthernet0/0/1 port default vlan 200 SwitchC-GigabitEthernet0/0/1 quit SwitchC interface gigabitethernet 0/0/2 SwitchC-GigabitEthernet0/0/2 port link-type access SwitchC-GigabitEthernet0/0/2 port default vlan 200 SwitchC-GigabitEthernet0/0/2 quit # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 200. SwitchC interface gigabitethernet 0/0/3 SwitchC-GigabitEthernet0/0/3 port link-type trunk SwitchC-GigabitEthernet0/0/3 port trunk allow-pass vlan 200 SwitchC-GigabitEthernet0/0/3 quit.
Configure the device to transparently transmit 802.1X packets. This example uses SwitchC to describe the configuration. The configuration on SwitchD is the same as that on SwitchC. In this example, SwitchC and SwitchD are deployed between the authentication switch SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.
Method 1: The S5720EI, S5720HI, and S6720EI do not support this method. Address Format Description In the address, ISE-IP indicates the ISE address.
Enter the configured user name and password to log in to the Cisco ISE. Create a department and account. Choose Administration Identity Management Groups. In the navigation area on the left, choose User Identity Groups.
Click the Add tab in the operation area on the right, and add the department RD. Choose Administration Identity Management Identities. In the navigation area on the left, choose Users. Click the Add tab in the operation area on the right, create an account A-123 with the password Huawei123, and add user A to the RD department.
Add a switch to the ISE and configure related parameters to ensure normal communication between the ISE and switch. In the top navigation area, choose Administration Network Resources Network Device Profiles, click the Add tab.
Create the access device profile HUAWEI, set Vendor to Other, and select RADIUS under Supported Protocols. Configure Authentication/Authorization, and Permisssions according to the following figures. After completing the configuration, click Submit.
Choose Administration Network Resources Network Devices. Click Add in the operation area on the right, add the access device SwitchA, and configure parameters of SwitchA according to the following table. After completing the configuration, click Submit. The ISE provides the default authentication protocol profile Default Network Access. If the profile meets actual requirements, you do not need to create a profile. Create the protocol profile Authentication for user authentication. Select proper authentication protocols based on actual requirements.
After completing the configuration, click Submit. Configure the authentication policy.
How To Configure Wired 802.1x For Mac Windows 10
Choose Policy Authentication. Authentication policies are classified into simple and rule-based authentication policies. A simple authentication policy is used in this example. Click the Network Access Service drop-down list box. The Network Access Services dialog box is displayed.
Click Allowed Protocols and choose Authentication. Add an authorization rule. In the top navigation area, choose Policy Authorization. Click the triangle next to the first authentication policy and choose Insert New Rule Above.
Add an authorization result and bind an authorization rule to the authorization result. Click the Save tab on the right. Verify the configuration. An employee can only access the ISE before passing the authentication. After passing the authentication, the employee can access resources in the post-authentication domain. After the employee passes the authentication, run the display access-user command on the switch. The command output shows information about the online employee.
In / by I first learned about 802.1X when I was studying for one of the CCNP exams, the BCMSN exam ( equivalent), at Ohlone College. At the time, I assumed that the short material covered in the book was all of it. Of course, that was a bad assumption in my part.
That’s probably a normal assumption of someone who at the time just finished Cisco Network Academy Program CCNA 1 to 4 and newly minted CCNA with no professional experience. What is 802.1X? Essentially, 802.1X is a security feature that provides a mechanism to authenticate devices before it can access network resources. While it’s a good idea to have this security feature implemented, I’ve worked for companies who didn’t have this feature or similar implemented or it’s on their roadmap.
It’s a shame that it wasn’t on their roadmap a long time ago since it was ratified in 2001. Then again, implementing technologies have its challenges. How it works?
Image from Wikipedia While there are other sources that will explain this in detail, this post includes a very short description on how it works. Basically, when a device connects to the wired network, the authenticator (switch) will send an EAP message to the supplicant (computer). If the computer has a supplicant, it will send an EAP response to the authenticator.
The authenticator will then send a RADIUS message to the authentication server (RADIUS server). The authentication server will then challenge the supplicant to verify its identity. Once verified, the device will then be able to connect to organization’s network resources. Environment Every organization has their own unique implementation of technologies, so gather what you can and go from there. For example, in this scenario the requirements were to have two sets of RADIUS servers: one for switch-based authentication and the other for port-based authentication. This seems to be an uncommon setup so it required some research to split the two sets of RADIUS servers.
My initial assumption was that it wasn’t possible. That assumption is only correct in older code, but with IOS 15.x the feature is supported. This is a multivendor organization so LLDP is used instead of CDP, which is disabled globally by default due to the switch template configuration. A lot of users are using Apple notebooks and/or desktops and most of these users are running VMware Fusion to run Windows and/or Linux. IP phones are ubiquitous so this requires a great deal of attention. If my memory serves me right, the 802.1X topic in BCMSN didn’t cover how to implement it with IP phones so Cisco’s documentation and Google were my friend during my research. A lot of devices do not have supplicant and there are instances where PXE boot is needed.
In addition, there were some locations that need WoL (Wake on LAN) feature so that needs an attention as well. Configuration As mentioned earlier, the requirement is to have two separate RADIUS servers for both switch-based and port-based authentication. That said, let’s take a look on how to do this.
But first, let me show you how it was done prior to IOS 15.x code. This command still works in 15.0(2), but you’ll receive a warning saying that it will soon be deprecated.
Dot1x system - auth - control Configure switch ports Next step is to configure each switch port that will use 802.1X. This command will automatically include dot1x pae authenticator in the running configuration so don’t be alarmed if you see it there. This is to ensure that dot1x authentication still works on legacy configurations without manual intervention.
NOTE: It seems to be that the IOS that I was using automatically included the dot1x pae authenticator command. That said, please make sure to add the command if you do not see it. Dot1x pae authenticator In the IOS 12.x, this would’ve been a different command.
The command in the old world is dot1x port - control auto. Technically, the commands above are all we need to configure for the 802.1X to work. However, the environment in this scenario requires more things from us that we still need to address.
VoIP phones Let’s address the IP phones first since it’s ubiquitous within the enterprise environment. By default, the interfaces are set to be single-host mode. This means only one MAC is allowed in the data VLAN. This mode technically allows another MAC address but on the voice VLAN and only if CDP is supported.
Since CDP is disabled on all of the switches deployed in this scenario, this needs to be enabled. I included the single-host mode command below since it won’t show up in the running configuration because it is the default configuration. Authentication host - mode single - host While this configuration works, there are few things that we need to keep in mind. The single-host mode means only single MAC can be authenticated on a switch port.
If a different MAC address is detected on a port after an endpoint has authenticated then a security violation is triggered on the port. This will cause the port to be in errdisabled state and will require a manual intervention unless errdisable recovery is configured. Since the computers are daisy chained on the back of the Cisco phones, there are technically two MAC addresses that will be seen on the port. As mentioned earlier, the single-host mode ignores the MAC address seen in the voice VLAN so this should work. It does work, however, once you shut the port down and enable it again, and phone or switch reboots, the switch port will see two MAC addresses on the data VLAN.
Now, you’re probably wondering why would the switch see two MAC addresses in the data VLAN when the IP Phone should only show up in the voice VLAN especially when the boot process is described in books like. But, I’ve seen this happened in all three organizations I’ve worked for where the phone’s MAC address shows up in both data and voice VLAN, as shown below. If you do a quick search, you’ll see more people are seeing the same thing so it appears that this is the default behavior. Authentication host - mode multi - domain MDA vs Multi-Auth Multi-domain authentication (MDA) allows one MAC address on both data and voice VLAN. It is kind of similar with the single-host mode but this mode requires the device in the voice VLAN to authenticate. Initial testing looks like it’s working as expected.
I didn’t see the same behavior where the phone’s MAC address shows up on both VLANs when I bounced the port. MDA does not address the fact that the environment in our scenario will have users running VMware Fusion on their computer(s). When the user configures the VM with a network type of bridged mode, which means the switch will see two MAC addresses, then that will result in a security violation. This needs to be addressed so there has to be another mode that we could use. Fortunately, there is and it is called multiple authentication.
Authentication host - mode multi - auth The difference between MDA and multiple authentication is that it allows multiple MAC addresses in the data VLAN, however, all devices must be authenticated to access the network resources. As mentioned, there is a way to automatically recover from a security violation, by default it is set to five minutes. Before I show you the command for it, let’s think about the fact that the port will be in the errdisabled state once a security violation occurs. That means, the phones will be out of commission too. This is going to be frustrating for the users so we need to find a solution that only errdisable the VLAN where the security violation occurred. Fortunately, the switch has the voice aware 802.1X security feature and is shown below with the errdisable recovery. Errdisable recovery cause security - violation MAC Authentication Bypass The devices that do not support 802.1X feature still needs to access network resources so we need to find a way to let them in without disabling the port-based authentication where these devices are connected to.
Cisco supports fallback mechanisms when a device fails to authenticate using 802.1X. A great option for devices that do not support 802.1X is the MAC Authentication Bypass (MAB). With MAB, the MAC address is entered to the RADIUS server and when the device fails to authenticate using the 802.1X then the switch will fallback to MAB. The switch will then forward a message, with the MAC address of the device, to the RADIUS server.
RADIUS server will then check its database to see if the MAC address is in its list. If it is, then the RADIUS server will signal the switch to allow access to the network. To enable MAB, issue the command below. Dot1x mac - auth - bypass While this fallback mechanism works, Cisco Catalyst switches have default values which delays the transition of a non-802.1X compliant from unauthorized to authenticated for 90 seconds. This might cause some issues with DHCP or PXE clients so it is recommended to tweak the default values to make it faster for the non-802.1X compliant devices to access network resources. The 90 seconds is the combination of the dot1x max - reauth - req and dot1x timeout tx - period values. The default value for the former is two and the latter is 30 seconds.
Multiply both values and the result is 60 seconds. You’re probably thinking where’s the other 30 out of the 90 seconds? Well, that was the initial request for the device to authenticate and when it fails the switch will then send a request. It would keep sending up to the configured max-reauth-req values when there’s no response from the device. It is recommended to test what’s best for your network since there are really no recommended values. For our scenario, let’s configure them with a value of one and 10 seconds.
Dot1x timeout tx - period timer 10 The last thing that we need to address is the WoL feature that some people use in the environment. By default, traffic through the unauthorized port is blocked in both directions and the magic packet, WoL packet sent by the server, never gets to the sleeping computer.
To support the WoL feature in 802.1X environment, we’ll need to configure the switch to allow outbound traffic to the unauthorized port but still control the incoming traffic. The command to do this is shown below.
Authentication control - direction in Other considerations Not every scenario is covered here so I recommend you to read Cisco’s configuration and deployment guide about 802.1X. For example, what if all RADIUS servers that handles the port-based authentication are unreachable? That would mean, unauthorized ports trying to move to authenticated ports will not work. Configuring critical VLAN both for data and voice may be necessary for this environment. For partners’ devices, how would you like to handle their access to network resources?
Would you allow them by implementing a Guest VLAN feature? If you opt for using EAP-TLS, how would you manage the deployment of the certificates to all devices including mobile? This might frustrate users and may also overwhelm the desktop support staff if not handled properly. What if your organization use non-Cisco phones?
What will happen to the devices behind the phones once it gets authenticated and gets removed from the port? Does it support EAPoL Logoff/Proxy EAPoL Logoff? This is not an issue with Cisco phones with CDP since it supports CDP Enhancement for Second Port Disconnect.
With this feature, when the user disconnects from the phone’s port, the phone will signal the Catalyst switch to move the data VLAN from authenticated to unauthorized state. How do you want to authenticate the phones? Do you want to use EAP-MD5, MIC (Manufacturer Installed Certificate), or LSC (Locally Significant Certificate)? If you do allow MAB fallback mechanism, how do you combat the possibility of unauthorized users spoofing MAC addresses that are in your RADIUS’s MAC address database? If the organization is big enough, how do you manage adding MAC addresses to the database? How do you maintain the database properly without leaving temporary entries? Thoughts Deploying 802.1X definitely has its challenges.
This could be the reason why some organizations choose to not have some type of port-based authentication because of it may affect the availability of network resources. When it comes to deployment, I believe proper planning and testing is needed to make it a smooth deployment. Few things that could be used to make it a smooth deployment are the following: monitor mode, low impact mode, and closed mode, which is covered in this Cisco Live!.
Some might just opt for the lab testing then move to pilot phase, which is doable in my opinion. References Disclosure NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.
