Wednesday, October 3, 2012

Deploying 802.1X in Cisco Catalyst Switch

802.1X is method to authenticate a User to get Access to a Layer 2. In this blog, I will share how to deploy a simple 802.1X on the Cisco Catalyst Switch.



In this lab I tried to configure the Switch (3560) to deploy 802.1X Implementation. Before we move on, I’m gonna give the L2 Diagram





The Lab scenario would be like this, SW2 will implementing 802.1X Feature on Fa0/21 to the Windows XP Client. SW2 will use ACS as a RADIUS service, both authentication and authorization would be provided by the ACS. I used the old ACSv4.2.

If the supplicant (client) doesn’t support the 802.1X the Switch will assign VLAN 999 to the Fa0/21. If the supplicant is successfully authenticate, the Client will be placed in the VLAN 10 (will be pushed by RADIUS). If the Client FAIL to authenticate, the client will be put in the vlan 666!

Before we starting, in order to make sure Win_XP capable to do the 802.1X first we must makes sure the wired autoconfig services is enabled (using run à Services.msc), and switch the Authentication Method to be MD5-Challange :)

Here are the config of the Switch:
!
! Last configuration change at 16:06:32 UTC Wed Feb 15 2012 by ciscolab
! NVRAM config last updated at 15:01:58 UTC Wed Feb 15 2012
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$TOml$h6t3G4CdauK.G6AWOtSEk1
!
username admin privilege 15 secret 5 $1$49uN$FQNcFpUOdQpds2Ne2q7Zz1
username sdd privilege 15 secret 5 $1$S2Wi$i8KNWS/rcCWBprsMDuaMi/
username ciscolab privilege 15 secret 5 $1$pabM$41n8I8AjEhmdqvNPoja3./
!
!
aaa new-model
!
!
aaa authentication login CONSOLE local
aaa authentication dot1x default group radius local-case
aaa authorization network default group radius local
!
!
!
aaa session-id common
system mtu routing 1500
vtp domain HAMSTERVIEL
vtp mode transparent
ip routing
no ip domain-lookup
ip host ASA 10.24.64.10
ip host R1 110.5.46.1
ip host R2 10.24.64.2
!
!
dot1x system-auth-control
dot1x test timeout 30
dot1x guest-vlan supplicant
!
!
!
errdisable detect cause security-violation shutdown vlan
errdisable recovery cause security-violation
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
 name SUCCESS_802.1X
!
vlan 13,20,23,100
!
vlan 666
 name FAILED_802.1X
!
vlan 999
 name GUEST_VLAN
!
!
interface FastEthernet0/21
 switchport access vlan 666
 switchport mode access
 switchport nonegotiate
 authentication event fail action authorize vlan 666
 authentication event no-response action authorize vlan 999
 authentication port-control auto
 authentication timer restart 30
 authentication timer inactivity 1800
 dot1x pae authenticator
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
!
!
interface Vlan20
 ip address 192.168.12.12 255.255.255.0
!
ip classless
ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging 192.168.12.213
!
radius-server host 192.168.12.213 auth-port 1645 acct-port 1646 key CISCO
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication CONSOLE
line vty 5 15
!
end

For the Radius Configuration We have to enable option 64,65,81, and 83 On the RADIUS IETF and then fill the following variable :)



Here is some of the verification
SW2#show dot1x interface fa0/21
Dot1x Info for FastEthernet0/21
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30




First of, I tried to disable 802.1X Feature on the Windows_XP. After I plugged the cable, the switch will notify some syslog message like this
If the client has no-response (Not suport the 802.1X), he will be assigned VLAN 999

Feb 15 16:23:00.274: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/21 AuditSessionID
Feb 15 16:23:00.274: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-NOMOREMETHODS: Exhausted al
SW2(config-if)#l authentication methods for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-5-VLANASSIGN: VLAN 999 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
SW2(config-if)#
Feb 15 16:23:01.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:23:01.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

SW2#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/24, Gi0/1
                                                Gi0/2
10   SUCCESS_802.1X                   active   
13   VLAN0013                         active
20   VLAN0020                         active    Fa0/22
23   VLAN0023                         active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/16
666  FAILED_802.1X                    active
999  GUEST_VLAN                       activeFa0/21
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

If the Client Successfully Login, he will be assigned VLAN 10
SW2(config-if)#
Feb 15 16:30:59.121: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %DOT1X-5-SUCCESS: Authentication successful for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
Feb 15 16:31:10.798: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %AUTHMGR-5-VLANASSIGN: VLAN 10 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:11.822: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:31:11.839: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

SW2#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/24, Gi0/1
                                                Gi0/2
10   SUCCESS_802.1X                   active    Fa0/21
13   VLAN0013                         active
20   VLAN0020                         active    Fa0/22
23   VLAN0023                         active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/16
666  FAILED_802.1X                    active
999  GUEST_VLAN                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup


If the Client Fail the Authentication, the client will still be put in the VLAN 666 (Restricted VLAN)
Feb 15 17:32:58.588: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26
SW2(config-if)#
Feb 15 17:33:12.153: %DOT1X-5-FAIL: Authentication failed for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
SW2(config-if)#
Feb 15 17:33:12.153: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26

 

4 comments:

Optim Servers said...

Wow what a nice post i am really so inspired here keep continue sharing.
Thanks




Cisco Catalyst 2960-24TC

IP said...

Thank you Optim Servers ;)

Sandy Shaw said...

Nice Article! Thanks for sharing with us.
IP Routing

Leslie Lim said...

This is really an interesting topic. Congratulations to the writer. I'm sure a lot of readers having fun reading your post. Hoping to read more post from you in the future. Thank you and God bless!


Rica
www.imarksweb.org