Indonesian CCIE Dinner

Last night, I had an exclusive dinner for Indonesian CCIEs. This dinner was initiated by Mr. Himawan Nugroho, a famous Cisco Advanced Service Engineer from Cisco (http://www.himawan.nu/).

It was a cool Dinner, we had a lot of great conversation and share our experiences. Mr. Himawan & Mr. Tedhi have a vision to make Indonesian CCIEs  can connecting with each other by providing some kind of portal that is dedicated to the Indonesian CCIEs.

Altough only several CCIEs attend this Dinner, where a lot of them either working abroad or having a job during that time, but the event was really unforgettable \(^0^)/.

Cert-Monkey Guy part-2

This week I just passed the CCNP-Security, Alhamdulillah. Hmm, interesting story about this Certification.

I study the Security track, since in my current employment, one of the biggest customer currently 'Cisco-Minded' thing, so they deploy Cisco on all their LAN component. That is why I play around with the security.

I play around with the Cisco Security Technology, which involving Router, ASA, ACS, IPS, and VPN Technology to fill my gap in the Security.

Suddenly my Company want me to take the CCNP-Security Certification for Project purposes. Given this opportunity, I just suddenly said "Yes", then I started to take CCNA-security from that time.

On the Associate and Professional Level of the Security ini Cisco, Currently they used GUI instead of CLI, so I have to ported most of my stuff, which is using CLI to the GUI. Sure enough GUI is much more simpler compare to the GUI one, especially in the VPN stuff \(^0^)/, but for the troubleshooting purposes, I think CLI is much more powerfull ;)

When you got the opportunity, I think it is better to say 'yes' first instead of analyzing the 'another additional work' ;)

Deploying 802.1X in Cisco Catalyst Switch

802.1X is method to authenticate a User to get Access to a Layer 2. In this blog, I will share how to deploy a simple 802.1X on the Cisco Catalyst Switch.

In this lab I tried to configure the Switch (3560) to deploy 802.1X Implementation. Before we move on, I’m gonna give the L2 Diagram

The Lab scenario would be like this, SW2 will implementing 802.1X Feature on Fa0/21 to the Windows XP Client. SW2 will use ACS as a RADIUS service, both authentication and authorization would be provided by the ACS. I used the old ACSv4.2.

If the supplicant (client) doesn’t support the 802.1X the Switch will assign VLAN 999 to the Fa0/21. If the supplicant is successfully authenticate, the Client will be placed in the VLAN 10 (will be pushed by RADIUS). If the Client FAIL to authenticate, the client will be put in the vlan 666!

Before we starting, in order to make sure Win_XP capable to do the 802.1X first we must makes sure the wired autoconfig services is enabled (using run à Services.msc), and switch the Authentication Method to be MD5-Challange :)

Here are the config of the Switch:

! ! Last configuration change at 16:06:32 UTC Wed Feb 15 2012 by ciscolab ! NVRAM config last updated at 15:01:58 UTC Wed Feb 15 2012 ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SW2 ! boot-start-marker boot-end-marker ! enable secret 5 $1$TOml$h6t3G4CdauK.G6AWOtSEk1 ! username admin privilege 15 secret 5 $1$49uN$FQNcFpUOdQpds2Ne2q7Zz1 username sdd privilege 15 secret 5 $1$S2Wi$i8KNWS/rcCWBprsMDuaMi/ username ciscolab privilege 15 secret 5 $1$pabM$41n8I8AjEhmdqvNPoja3./ ! ! aaa new-model ! ! aaa authentication login CONSOLE local aaa authentication dot1x default group radius local-case aaa authorization network default group radius local ! ! ! aaa session-id common system mtu routing 1500 vtp domain HAMSTERVIEL vtp mode transparent ip routing no ip domain-lookup ip host ASA 10.24.64.10 ip host R1 110.5.46.1 ip host R2 10.24.64.2 ! ! dot1x system-auth-control dot1x test timeout 30 dot1x guest-vlan supplicant ! ! ! errdisable detect cause security-violation shutdown vlan errdisable recovery cause security-violation errdisable recovery interval 30 spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 10  name SUCCESS_802.1X ! vlan 13,20,23,100 ! vlan 666  name FAILED_802.1X ! vlan 999  name GUEST_VLAN ! ! interface FastEthernet0/21  switchport access vlan 666  switchport mode access  switchport nonegotiate  authentication event fail action authorize vlan 666  authentication event no-response action authorize vlan 999  authentication port-control auto  authentication timer restart 30  authentication timer inactivity 1800  dot1x pae authenticator  spanning-tree portfast ! interface FastEthernet0/22  switchport access vlan 20  switchport mode access  switchport nonegotiate  spanning-tree portfast ! ! interface Vlan20  ip address 192.168.12.12 255.255.255.0 ! ip classless ip http secure-server ! ! ip sla enable reaction-alerts logging trap debugging logging 192.168.12.213 ! radius-server host 192.168.12.213 auth-port 1645 acct-port 1646 key CISCO ! ! line con 0  exec-timeout 0 0  logging synchronous  login authentication CONSOLE line vty 5 15 ! end

For the Radius Configuration We have to enable option 64,65,81, and 83 On the RADIUS IETF and then fill the following variable :)

Here is some of the verification

SW2#show dot1x interface fa0/21 Dot1x Info for FastEthernet0/21 ----------------------------------- PAE                       = AUTHENTICATOR PortControl               = AUTO ControlDirection          = Both HostMode                  = SINGLE_HOST QuietPeriod               = 60 ServerTimeout             = 0 SuppTimeout               = 30 ReAuthMax                 = 2 MaxReq                    = 2 TxPeriod                  = 30

First of, I tried to disable 802.1X Feature on the Windows_XP. After I plugged the cable, the switch will notify some syslog message like this

If the client has no-response (Not suport the 802.1X), he will be assigned VLAN 999 Feb 15 16:23:00.274: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/21 AuditSessionID Feb 15 16:23:00.274: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1 Feb 15 16:23:00.274: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1 Feb 15 16:23:00.274: %AUTHMGR-7-NOMOREMETHODS: Exhausted al SW2(config-if)#l authentication methods for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1 Feb 15 16:23:00.274: %AUTHMGR-5-VLANASSIGN: VLAN 999 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1 SW2(config-if)# Feb 15 16:23:01.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up Feb 15 16:23:01.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/21 AuditSessionID C0A80C0C0000001800FAA6C1 SW2#show vlan brief VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17                                                 Fa0/18, Fa0/19, Fa0/24, Gi0/1                                                 Gi0/2 10   SUCCESS_802.1X                   active    13   VLAN0013                         active 20   VLAN0020                         active    Fa0/22 23   VLAN0023                         active 100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4                                                 Fa0/5, Fa0/6, Fa0/16 666  FAILED_802.1X                    active 999  GUEST_VLAN                       activeFa0/21 1002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup

If the Client Successfully Login, he will be assigned VLAN 10

SW2(config-if)# Feb 15 16:30:59.121: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA Feb 15 16:31:10.798: %DOT1X-5-SUCCESS: Authentication successful for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID Feb 15 16:31:10.798: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA Feb 15 16:31:10.798: %AUTHMGR-5-VLANASSIGN: VLAN 10 assigned to Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA Feb 15 16:31:11.822: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up Feb 15 16:31:11.839: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001901035CFA SW2#show vlan brief VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/17                                                 Fa0/18, Fa0/19, Fa0/24, Gi0/1                                                 Gi0/2 10   SUCCESS_802.1X                   active    Fa0/21 13   VLAN0013                         active 20   VLAN0020                         active    Fa0/22 23   VLAN0023                         active 100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4                                                 Fa0/5, Fa0/6, Fa0/16 666  FAILED_802.1X                    active 999  GUEST_VLAN                       active 1002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup

If the Client Fail the Authentication, the client will still be put in the VLAN 666 (Restricted VLAN)

Feb 15 17:32:58.588: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26 SW2(config-if)# Feb 15 17:33:12.153: %DOT1X-5-FAIL: Authentication failed for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID SW2(config-if)# Feb 15 17:33:12.153: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (000d.87b6.ec91) on Interface Fa0/21 AuditSessionID C0A80C0C0000001A013C1A26