Welcome to IP Blog of Dream: Deploying 802.1X in Cisco Catalyst Switch

802.1X is method to authenticate a User to get Access to a Layer 2. In this blog, I will share how to deploy a simple 802.1X on the Cisco Catalyst Switch.

In this lab I tried to configure the Switch (3560) to deploy 802.1X Implementation. Before we move on, I’m gonna give the L2 Diagram

The Lab scenario would be like this, SW2 will implementing 802.1X Feature on Fa0/21 to the Windows XP Client. SW2 will use ACS as a RADIUS service, both authentication and authorization would be provided by the ACS. I used the old ACSv4.2.

If the supplicant (client) doesn’t support the 802.1X the Switch will assign VLAN 999 to the Fa0/21. If the supplicant is successfully authenticate, the Client will be placed in the VLAN 10 (will be pushed by RADIUS). If the Client FAIL to authenticate, the client will be put in the vlan 666!

Before we starting, in order to make sure Win_XP capable to do the 802.1X first we must makes sure the wired autoconfig services is enabled (using run à Services.msc), and switch the Authentication Method to be MD5-Challange :)

Here are the config of the Switch:

! Last configuration change at 16:06:32 UTC Wed Feb 15 2012 by ciscolab

! NVRAM config last updated at 15:01:58 UTC Wed Feb 15 2012

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname SW2

boot-start-marker

boot-end-marker

enable secret 5 $1$TOml$h6t3G4CdauK.G6AWOtSEk1

username admin privilege 15 secret 5 $1$49uN$FQNcFpUOdQpds2Ne2q7Zz1

username sdd privilege 15 secret 5 $1$S2Wi$i8KNWS/rcCWBprsMDuaMi/

username ciscolab privilege 15 secret 5 $1$pabM$41n8I8AjEhmdqvNPoja3./

aaa new-model

aaa authentication login CONSOLE local

aaa authentication dot1x default group radius local-case

aaa authorization network default group radius local

aaa session-id common

system mtu routing 1500

vtp domain HAMSTERVIEL

vtp mode transparent

ip routing

no ip domain-lookup

ip host ASA 10.24.64.10

ip host R1 110.5.46.1

ip host R2 10.24.64.2

dot1x system-auth-control

dot1x test timeout 30

dot1x guest-vlan supplicant

errdisable detect cause security-violation shutdown vlan

errdisable recovery cause security-violation

errdisable recovery interval 30

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

vlan 10

name SUCCESS_802.1X

vlan 13,20,23,100

vlan 666

name FAILED_802.1X

vlan 999

name GUEST_VLAN

interface FastEthernet0/21

switchport access vlan 666

switchport mode access

switchport nonegotiate

authentication event fail action authorize vlan 666

authentication event no-response action authorize vlan 999

authentication port-control auto

authentication timer restart 30

authentication timer inactivity 1800

dot1x pae authenticator

spanning-tree portfast

interface FastEthernet0/22

switchport access vlan 20

switchport mode access

switchport nonegotiate

spanning-tree portfast

interface Vlan20

ip address 192.168.12.12 255.255.255.0

ip classless

ip http secure-server

ip sla enable reaction-alerts

logging trap debugging

logging 192.168.12.213

radius-server host 192.168.12.213 auth-port 1645 acct-port 1646 key CISCO

line con 0

exec-timeout 0 0

logging synchronous

line vty 5 15

end

For the Radius Configuration We have to enable option 64,65,81, and 83 On the RADIUS IETF and then fill the following variable :)

Here is some of the verification

SW2#show dot1x interface fa0/21

Dot1x Info for FastEthernet0/21

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

QuietPeriod = 60

ServerTimeout = 0

SuppTimeout = 30

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

First of, I tried to disable 802.1X Feature on the Windows_XP. After I plugged the cable, the switch will notify some syslog message like this

If the client has no-response (Not suport the 802.1X), he will be assigned VLAN 999

Feb 15 16:23:00.274: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/21 AuditSessionID

Feb 15 16:23:00.274: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

Feb 15 16:23:00.274: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

Feb 15 16:23:00.274: %AUTHMGR-7-NOMOREMETHODS: Exhausted al

SW2(config-if)#l authentication methods for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

Feb 15 16:23:00.274: %AUTHMGR-5-VLANASSIGN: VLAN 999 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

SW2(config-if)#

Feb 15 16:23:01.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up

Feb 15 16:23:01.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1

SW2#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/13, Fa0/14, Fa0/15, Fa0/17

Fa0/18, Fa0/19, Fa0/24, Gi0/1

Gi0/2

10 SUCCESS_802.1X active

13 VLAN0013 active

20 VLAN0020 active Fa0/22

23 VLAN0023 active

100 VLAN0100 active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/16

666 FAILED_802.1X active

999 GUEST_VLAN activeFa0/21

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

If the Client Successfully Login, he will be assigned VLAN 10

SW2(config-if)#

Feb 15 16:30:59.121: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

Feb 15 16:31:10.798: %DOT1X-5-SUCCESS: Authentication successful for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID

Feb 15 16:31:10.798: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

Feb 15 16:31:10.798: %AUTHMGR-5-VLANASSIGN: VLAN 10 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

Feb 15 16:31:11.822: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up

Feb 15 16:31:11.839: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA

SW2#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/13, Fa0/14, Fa0/15, Fa0/17

Fa0/18, Fa0/19, Fa0/24, Gi0/1

Gi0/2

10 SUCCESS_802.1X active Fa0/21

13 VLAN0013 active

20 VLAN0020 active Fa0/22

23 VLAN0023 active

100 VLAN0100 active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/16

666 FAILED_802.1X active

999 GUEST_VLAN active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

If the Client Fail the Authentication, the client will still be put in the VLAN 666 (Restricted VLAN)

Feb 15 17:32:58.588: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26

SW2(config-if)#

Feb 15 17:33:12.153: %DOT1X-5-FAIL: Authentication failed for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID

SW2(config-if)#

Feb 15 17:33:12.153: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26

Welcome to IP Blog of Dream

Wednesday, October 3, 2012

Deploying 802.1X in Cisco Catalyst Switch

2 comments: