Tweet
WIRED 802.1X NOTES
(By Minh Dang CCIEx2 11897(R&S, Wireless), Jan 2019)
Some notes during the testing of Wired 802.1X.
- Switch configuration
- Define AAA methods, AAA server
!
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update newinfo periodic 2880
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa server radius dynamic-author
client 10.215.26.50 server-key Vnpro123 ß Cisco ISE radius
!
aaa session-id common
- Turn on IP device tracking so the switch can recognize when the PC client change its IP address.
ip device tracking probe count 30
ip device tracking probe delay 10
ip device tracking
!
1.3 Define attributes that the switch will send to ISE radius server
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host 10.215.26.50 auth-port 1812 acct-port 1813 key vnpro123
radius-server retry method reorder
radius-server retransmit 1
radius-server timeout 3
radius-server key 7 vnpro123
radius-server vsa send accounting
radius-server vsa send authentication
1.4 Configure specific port for 802.1X authentication. In the config below, port G1/0/19 was used.
!
interface GigabitEthernet1/0/19
description OfficePort#16-MinhDang'sOffice
switchport mode access
switchport nonegotiate
switchport voice vlan 2
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
With older switches, we can apply the below configuration
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SW33
!
aaa new-model
!
aaa authentication dot1x default group radius
!
dot1x system-auth-control
!
interface FastEthernet0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!
!
interface Vlan1
ip address dhcp
!
interface Vlan10
no ip address
!
radius-server host 10.215.26.50 auth-port 1645 acct-port 1646
radius-server key VnPro123
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
!
end
- Endpoint configuration
- Cisco AnyConnect 4.6
- Windows
| Windows 10 Click down on the search bar at the bottom left of the screen and type in "Services". Select the Services application that pops up. Scroll down the list and find Wired AutoConfig. Double click Wired AutoConfig. Make sure, in the box that pops up, that Startup Type is set to Automatic. If service status is not Running push Start option. Click Apply if you made any changes and then click OK. Close out of Services application. At the bottom right corner of the screen click the Internet connection icon. In the box that pops up on the right, click Network & Internet Settings. In the Settings screen click on Change Adapter Options. In the window that pops up right-click on "Ethernet" or "Local Area Connection" (it may say one or the other) and then click Properties. At the top of the Ethernet Properties box click on the Authentication tab. Make sure that "Enable IEEE 802.1x authentication" has a check mark next to it. Click Additional Settings In the Additional Settings screen make sure that "Specify Authentication Mode" is checked. From the drop down right below that select "User or computer authentication". Then click Save credentials. Type in your myPlymouth username and password and then click save. Click Ok on each of the windows that you opened until they are all closed out. You may need to unplug and replug your ethernet cable and possibly restart your computer in order for the network to connect. |
- ISE configuration
3.1 Add Cisco Switch as radius client. Please put these switches in group Switch. This will help writing the wired 802.1X easier.
3.2. In device, configure the share secret key between ISE Radius and switch network devices.
3.3. Create new policy for WIRED802.1X in ISE
In the newly created policy, the condition to call the policy is when ISE radius server receive authentication requests from Switches. The three authentication protocols we used here in this example are EAP, PEAP and MAB. By the way, please also notice we already have several separate policies in place for VPN, Wireless LAN.
In the authentication policy, please use active directory as authentication source
In the authorization policy, set the rule as follows. For now, in the result, we just Permit Access. In more complex setting, we can actually do more actions, like assign a VLAN to a user, push ACL to a user profile….
- Test and verify
User Minh was hit with the policy WIREDOT1X in ISE. The user Minh belong to group ‘domain users.
User Minh shown up in StealthWatch Dashboard. After using wired 802.1X with ISE, ISE send his session information to StealthWatch.