Defining AAA clients on RADIUS servers
Next step in our setup is to define our AAA clients on the RADIUS servers, it involves simply pointing the AAA client's IP on the network and a preshared key that will later be defined on the switch as well. Once you are done you will have a screen similar below.
Configure Authenticating Switches
Now its time for us to configure our Cisco Switches to pass authentication to RADIUS servers and perform per port 802.1x authentication to connecting end devices. You should have a bunch of global commands instructing the switch to perform 802.1x authentication similar to the one below. You can go to Cisco's website to get more information on the commands although I will try to comment on some of the lines.
aaa authentication
dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
dot1x system-auth-control ( define this to see Dot1x commands per interface level )
ip radius source-interface value
radius-server host x.x.x.x auth-port 1645 acct-port 1646 timeout value key value
radius-server host x.x.x.x auth-port 1645 acct-port 1646 timeout value key value
The next 3 commands above instructs the switch where the source RADIUS server's VLAN is located when you have multiple VLANs and also points the RADIUS server hosts. The primary will be the first one defined and secondary will be the second one. The key value is the same pre-shared key used when you define your AAA client on the RADIUS servers.
Once you have these commands set, its time to go per port level and allow switch ports to do dot1x authentication.
switchport access vlan id
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout tx-period value
dot1x auth-fail vlan id
dot1x guest-vlan id
spanning-tree portfast
You can lookup this commands further but basically on this configuration for the guest-vlan and auth-fail vlan, you are configuring where clients will be dumped to if they fail dot1x authentication with the RADIUS servers.
Configure wired client computers for PEAP-MS-CHAP v2 802.1x authentication
Ok now we almost have everything set, the last set is to configure our Dot1x clients which are Windows XP machines in this example. Basically what we need to do is to configure the clients NIC card to perform Dot1x authentication. You can research about GPO policy extension to set this one for the clients but I believe at the time of this writing it is only available in Windows Vista and a Windows 2008 Domain Controller. Just follow the screen below and you should have configured your clients appropriately.
Note that I have cleared the screencap, if the environment is more restrictive, you can define the value of the "Connect to these Servers" field on the client's NIC card. This prevents man in the middle attacks when you are doing the dot1x authentication to your RADIUS servers. Do note that if you are configuring a Windows XP SP3 client note the changes in configuring Dot1x for the network card in this kb article "Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3"
http://support.microsoft.com/kb/949984
Also there are two registry values that you would likely change to control supplicant behavior on the clients. The first one defines that you are performing only Machine Authentication and the second one allows the supplicant client to send stop and start messages for Dot1x. Based on experience, you should set the second registry value as listed below as I have found that some clients do not get authenticated if this value is not set.
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode registry value to 3 (REG_DWORD data type). The default value of SupplicantMode for wired connections is 2.
Verify Wired Connections
Now that you have done configuring your dot1x clients. Verify that you can authenticate to your RADIUS servers and get your VLAN assignment based on your grouping. You can move the clients to another AD security group and test the new VLAN segment once you unplug and replug the network cable for the machine. Lastly I need to mention that for Cisco ACS you may need to install this hotfix on your Windows Dot1x clients as the Windows clients don't work well by default with 3rd party RADIUS servers for PEAP see "PEAP authentication is not successful when you connect to a third-party RADIUS server" on kb http://support.microsoft.com/kb/885453
Before I forget here are the links you can use as reference for your own deployment:
Microsoft:
Cisco:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
http://www.ciscopress.com/articles/article.asp?p=29600&seqNum=3
Hope you guys enjoyed this article. Do comment for additional info or corrections.
Posts
No comments:
Post a Comment