Last night, I had an exclusive dinner for Indonesian CCIEs. This dinner was initiated by Mr. Himawan Nugroho, a famous Cisco Advanced Service Engineer from Cisco (http://www.himawan.nu/).
It was a cool Dinner, we had a lot of great conversation and share our experiences. Mr. Himawan & Mr. Tedhi have a vision to make Indonesian CCIEs can connecting with each other by providing some kind of portal that is dedicated to the Indonesian CCIEs.
Altough only several CCIEs attend this Dinner, where a lot of them either working abroad or having a job during that time, but the event was really unforgettable \(^0^)/.
Friday, December 7, 2012
Thursday, November 22, 2012
Cert-Monkey Guy part-2
This week I just passed the CCNP-Security, Alhamdulillah. Hmm, interesting story about this Certification.
I study the Security track, since in my current employment, one of the biggest customer currently 'Cisco-Minded' thing, so they deploy Cisco on all their LAN component. That is why I play around with the security.
I play around with the Cisco Security Technology, which involving Router, ASA, ACS, IPS, and VPN Technology to fill my gap in the Security.
Suddenly my Company want me to take the CCNP-Security Certification for Project purposes. Given this opportunity, I just suddenly said "Yes", then I started to take CCNA-security from that time.
On the Associate and Professional Level of the Security ini Cisco, Currently they used GUI instead of CLI, so I have to ported most of my stuff, which is using CLI to the GUI. Sure enough GUI is much more simpler compare to the GUI one, especially in the VPN stuff \(^0^)/, but for the troubleshooting purposes, I think CLI is much more powerfull ;)
When you got the opportunity, I think it is better to say 'yes' first instead of analyzing the 'another additional work' ;)
I study the Security track, since in my current employment, one of the biggest customer currently 'Cisco-Minded' thing, so they deploy Cisco on all their LAN component. That is why I play around with the security.
I play around with the Cisco Security Technology, which involving Router, ASA, ACS, IPS, and VPN Technology to fill my gap in the Security.
Suddenly my Company want me to take the CCNP-Security Certification for Project purposes. Given this opportunity, I just suddenly said "Yes", then I started to take CCNA-security from that time.
On the Associate and Professional Level of the Security ini Cisco, Currently they used GUI instead of CLI, so I have to ported most of my stuff, which is using CLI to the GUI. Sure enough GUI is much more simpler compare to the GUI one, especially in the VPN stuff \(^0^)/, but for the troubleshooting purposes, I think CLI is much more powerfull ;)
When you got the opportunity, I think it is better to say 'yes' first instead of analyzing the 'another additional work' ;)
Wednesday, October 3, 2012
Deploying 802.1X in Cisco Catalyst Switch
802.1X is method to authenticate a User to get Access to a Layer 2. In this blog, I will share how to deploy a simple 802.1X on the Cisco Catalyst Switch.
For the Radius Configuration We have to enable
option 64,65,81, and 83 On the RADIUS IETF and then fill the following variable :)
In this lab I tried to configure
the Switch (3560) to deploy 802.1X Implementation. Before we move on, I’m gonna
give the L2 Diagram
The Lab scenario would be like
this, SW2 will implementing 802.1X Feature on Fa0/21 to the Windows XP Client.
SW2 will use ACS as a RADIUS service, both authentication and authorization
would be provided by the ACS. I used the old ACSv4.2.
If the supplicant (client)
doesn’t support the 802.1X the Switch will assign VLAN 999 to the Fa0/21. If the
supplicant is successfully authenticate, the Client will be placed in the VLAN
10 (will be pushed by RADIUS). If the Client FAIL to authenticate, the client
will be put in the vlan 666!
Before we starting, in order to
make sure Win_XP capable to do the 802.1X first we must makes sure the wired
autoconfig services is enabled (using run à
Services.msc), and switch the Authentication Method to be MD5-Challange :)
Here are the config of the
Switch:
!
! Last configuration change at 16:06:32 UTC Wed
Feb 15 2012 by ciscolab
! NVRAM config last updated at 15:01:58 UTC Wed
Feb 15 2012
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$TOml$h6t3G4CdauK.G6AWOtSEk1
!
username admin privilege 15 secret 5
$1$49uN$FQNcFpUOdQpds2Ne2q7Zz1
username sdd privilege 15 secret 5
$1$S2Wi$i8KNWS/rcCWBprsMDuaMi/
username ciscolab privilege 15 secret 5
$1$pabM$41n8I8AjEhmdqvNPoja3./
!
!
aaa new-model
!
!
aaa authentication login CONSOLE local
aaa authentication dot1x default group radius
local-case
aaa authorization network default group radius
local
!
!
!
aaa session-id common
system mtu routing 1500
vtp domain HAMSTERVIEL
vtp mode transparent
ip routing
no ip domain-lookup
ip host ASA 10.24.64.10
ip host R1 110.5.46.1
ip host R2 10.24.64.2
!
!
dot1x system-auth-control
dot1x test timeout 30
dot1x guest-vlan supplicant
!
!
!
errdisable detect cause security-violation
shutdown vlan
errdisable recovery cause security-violation
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name
SUCCESS_802.1X
!
vlan 13,20,23,100
!
vlan 666
name
FAILED_802.1X
!
vlan 999
name
GUEST_VLAN
!
!
interface FastEthernet0/21
switchport
access vlan 666
switchport
mode access
switchport
nonegotiate
authentication event fail action authorize
vlan 666
authentication event no-response action
authorize vlan 999
authentication port-control auto
authentication timer restart 30
authentication timer inactivity 1800
dot1x pae
authenticator
spanning-tree portfast
!
interface FastEthernet0/22
switchport
access vlan 20
switchport
mode access
switchport
nonegotiate
spanning-tree portfast
!
!
interface Vlan20
ip address
192.168.12.12 255.255.255.0
!
ip classless
ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging 192.168.12.213
!
radius-server host 192.168.12.213 auth-port 1645 acct-port
1646 key CISCO
!
!
line con 0
exec-timeout 0 0
logging
synchronous
login
authentication CONSOLE
line vty 5 15
!
end
|
Here is some of the verification
SW2#show dot1x interface fa0/21
Dot1x Info for FastEthernet0/21
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
|
First of, I tried to disable 802.1X
Feature on the Windows_XP. After I plugged the cable, the switch will notify
some syslog message like this
If the client has no-response (Not suport the
802.1X), he will be assigned VLAN 999
Feb 15 16:23:00.274: %DOT1X-5-FAIL: Authentication
failed for client (Unknown MAC) on Interface Fa0/21 AuditSessionID
Feb 15 16:23:00.274: %AUTHMGR-7-RESULT:
Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on
Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-FAILOVER: Failing
over from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID
C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-7-NOMOREMETHODS:
Exhausted al
SW2(config-if)#l authentication methods for
client (Unknown MAC) on Interface Fa0/21 AuditSessionID
C0A80C0C0000001800FAA6C1
Feb 15 16:23:00.274: %AUTHMGR-5-VLANASSIGN: VLAN 999
assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1
SW2(config-if)#
Feb 15 16:23:01.290: %LINEPROTO-5-UPDOWN: Line
protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:23:01.315: %AUTHMGR-5-SUCCESS:
Authorization succeeded for client (Unknown MAC) on Interface Fa0/21
AuditSessionID C0A80C0C0000001800FAA6C1
SW2#show vlan brief
VLAN Name
Status Ports
---- -------------------------------- ---------
-------------------------------
1
default
active Fa0/13, Fa0/14,
Fa0/15, Fa0/17
Fa0/18, Fa0/19, Fa0/24, Gi0/1
Gi0/2
10
SUCCESS_802.1X
active
13
VLAN0013
active
20
VLAN0020
active Fa0/22
23
VLAN0023 active
100
VLAN0100
active Fa0/1, Fa0/2, Fa0/3,
Fa0/4
Fa0/5, Fa0/6, Fa0/16
666
FAILED_802.1X
active
999
GUEST_VLAN
activeFa0/21
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
|
If the Client Successfully Login,
he will be assigned VLAN 10
SW2(config-if)#
Feb 15 16:30:59.121: %AUTHMGR-5-START: Starting
'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %DOT1X-5-SUCCESS: Authentication
successful for client (000d.87b6.ec91) on Interface Fa0/21
AuditSessionID
Feb 15 16:31:10.798: %AUTHMGR-7-RESULT:
Authentication result 'success' from 'dot1x' for client (000d.87b6.ec91) on
Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:10.798: %AUTHMGR-5-VLANASSIGN: VLAN 10
assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA
Feb 15 16:31:11.822: %LINEPROTO-5-UPDOWN: Line
protocol on Interface FastEthernet0/21, changed state to up
Feb 15 16:31:11.839: %AUTHMGR-5-SUCCESS:
Authorization succeeded for client (000d.87b6.ec91) on Interface Fa0/21
AuditSessionID C0A80C0C0000001901035CFA
SW2#show vlan brief
VLAN Name Status Ports
---- -------------------------------- ---------
-------------------------------
1
default active Fa0/13, Fa0/14, Fa0/15, Fa0/17
Fa0/18, Fa0/19, Fa0/24, Gi0/1
Gi0/2
10
SUCCESS_802.1X
active Fa0/21
13
VLAN0013 active
20
VLAN0020
active Fa0/22
23
VLAN0023
active
100
VLAN0100
active Fa0/1, Fa0/2, Fa0/3,
Fa0/4
Fa0/5, Fa0/6, Fa0/16
666
FAILED_802.1X
active
999
GUEST_VLAN
active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
|
If the Client Fail the
Authentication, the client will still be put in the VLAN 666 (Restricted VLAN)
Feb 15 17:32:58.588: %AUTHMGR-5-START: Starting
'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
C0A80C0C0000001A013C1A26
SW2(config-if)#
Feb 15 17:33:12.153: %DOT1X-5-FAIL: Authentication
failed for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID
SW2(config-if)#
Feb 15 17:33:12.153: %AUTHMGR-7-RESULT:
Authentication result 'fail' from 'dot1x' for client (000d.87b6.ec91) on
Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26
|
Subscribe to:
Posts (Atom)