In this lesson we will take a look how to configure a Cisco Catalyst Switch to use AAA and 802.1X for port based authentication. If you have no idea what AAA (Authentication, Authorization and Accounting) or 802.1X are about then you should look at my AAA and 802.1X Introduction first. Having said that, let’s look at the configuration. I will use the following topology:
I will show you an example of 802.1X with a RADIUS server. I am going to use Elektron RADIUS server as the authentication server because it’s easy to install and has a nice GUI.
RADIUS Server Configuration
Using a RADIUS server like Elektron will save you the time of hassling with installing Windows Server, configuring Active Directory and checking many checkboxes or messing around with Freeradius on Linux. When you configure a RADIUS server you will need to create a shared password:
I’m going to use “radiuspass” to keep things simple. Hit Next and you will see this:
There are different methods for authentication, for example:
- Only username and password.
- Username, password and a digital certificate on the server.
- Username, password, digital certificate on the server AND on the clients.
In a production network you might already have a certificate authority within your network. I don’t care about certificates for this demonstration but we’ll generate them anyway in case you want to play with them sometime in the future. The next steps will let you configure a name for your RADIUS server and if you want the digital certificate, you will get some questions about it. Once you are done you will be in the main screen of Elektron:
By default everything should work out of the box so we don’t have to touch anything. Let’s start and add a user account:
I want to create a new user account. Click on authentication, Elektron accounts and then on the big green plus symbol in the menu.
My new user account will be for Alice. My password will be “safe” and I don’t need her to be member of any groups. Click on OK.
By default Elektron will check Windows usernames instead of its own database. We need to configure it so the local database is used. Click on “Authentication Domains” and then on “Default Authentication Domain”.
Change it to “Elektron Accounts” and click on OK. That’s all you have to do on the Elektron RADIUS server, we’ll look at the switch now!
Switch Configuration
First I need to make sure SW1 and the Elektron RADIUS server can reach each other. We’ll use the management interface (VLAN 1) and configure an IP address on it:
SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.1.100 255.255.255.0
Now we should enable AAA:
SW1(config)#aaa new-model
This is an important command. Use aaa new-model to unlock all the different AAA commands that we need. Let’s configure the RADIUS server:
SW1(config)#radius-server host 192.168.1.101 auth-port 1812 acct-port 1646 key radiuspass
We configure SW1 with the IP address of the Elektron RADIUS server. I also have to specify the shared secret “radiuspass” that I configured previously here. Make sure to use the correct port number.
SW1(config)#aaa authentication dot1x default group radius
This is how we configure SW1 to use the RADIUS server for authentication for 802.1X enabled interfaces. You can create multiple groups with RADIUS servers if you want. Besides 802.1X you can use AAA for many things:
SW1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
nasi Set authentication lists for NASI.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
For example:
- Privileged mode (enable): Instead of using a enable password/secret on your device your credentials will be checked at the authentication server.
- Login: You can also check credentials for telnet or SSH access.
Our last step on the switch is to enable 802.1X on the interface that connects to the computer:
SW1(config)#dot1x system-auth-control
SW1(config)#interface fa0/1
SW1(config-if)#dot1x port-control auto
We need to use the dot1x system-auth-control command globally before 802.1X works. On the interface level we need to use the dot1x port-control auto command.
SW1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
After typing in those 802.1X commands you’ll see that the interface to H1 will go down. It’s time for some authentication! I will use Windows XP as an example for the client.
Client Configuration
I’m using a Windows XP machine to test this. First you need to enable AAA authentication:
802.1X doesn’t always work out of the box so we need to check if a certain service is running. Press “start”, click on “run” and type “services.msc”.
Look for the “Wired Autoconfig” service and start it if it’s not running.
Now go to Network connections and open the properties of your network card.
By default it will have 802.1X authentication enabled and PEAP is selected. Press “Settings” to continue.
Disable the checkbox for “Validate server certificate”. Normally you can use this so the client can check the authenticity of the RADIUS server. Click on the “Configure” button to continue.
Disable the checkbox here or it will use your Windows credentials by default to authenticate. Click on OK on all windows until they all disappear.
Click on the pop-up and you’ll be asked for your credentials.
Type in the username and password that you configured in Elektron RADIUS server and press OK. You should now be connected!
That’s all you have to do to configure AAA and 802.1X Authentication on a Cisco Catalyst Switch for client authentication. I hope this lesson was useful to you!
No comments:
Post a Comment