AAA and 802.1X Authentication

Hi Francesco,

We use RADIUS and TACACS+ for both user authentication and management. For example, with wireless networks we use RADIUS for user authentication (WPA2-enterprise). This allows us to use client and server certificates and it’s a far more secure solution than using pre-shared keys only.

For network management, it’s useful since you can centralize all your authentication instead of creating usernames/passwords on each and every router, switch, firewall, etc on your network.

It’s used on local networks, the only time you might use it on the Internet is if you have a branch office and you want to use the RADIUS/TACACS+ server on the main site. In that case, you would use a VPN tunnel.

Rene

Hi Rene,
Which’s standard of RFC that I can follow when learning the TACACS+?
Many thanks!

Hello Thinh

The original TACACS is defined in RFC 1492 as it is an open IETF standard. TACACS+ however was developed by Cisco so it has no corresponding RFC. Cisco developed it as an open standard so many vendors can and do use it.

There is however a Cisco RFC TACACS+ Draft available on the IETF web site that you can check out. There are also additional drafts that have been added, the most recent of which can be found here.

I hope this has been helpful!

Laz

1 Like

oh, thank you so much, i looked it out :slight_smile:

1 Like

Hello

Can you please explain what you mean at the beginning of the lesson, that port security cannot prevent the connection of a Wi-Fi router to the switch? Could not we just configure the switch to accept only specific MAC addresses on its interfaces via port security? How is NAT also affecting the whole process? Thank you in advance!

Regards
Markos

Hello Markos

Using port security we can do several things. We can restrict the use of a switch port to only one specific preconfigured MAC address or we can specify that only a single MAC address should be seen to be using this port. We can even use IP source guard to determine which will be the allowed source IP address that can use the interface, even on an L2 switch.

The first case will allow us to lock the port down such that only a specific computer having a specific MAC address can connect to that port. If this were implemented, then port security would indeed block the use of an access point. It would actually block the use of ANY device other than the computer with the specified MAC address. However, this port security scheme is not used that often because it has a very large administrative overhead, especially in environments where many moves adds and changes take place.

The more common port security scenario, and the one that Rene is referring to in this lesson, is when port security is implemented so that only a single MAC address will be allowed on a port of a switch. This prevents users from bringing their own switches and connecting multiple devices to it because each of those devices will send a different source MAC address to the switch and will trigger the port security threshold. Additional port security scenarios include the use of IP source guard where packets from the specific IP address associated with the single allowed MAC address will only be permitted and all other hosts will be rejected.

These port security features cannot be used to prevent the use of a rogue access point because the access point will create a separate subnet for its wireless users and it will use NAT to translate all of those users to a single IP address for the switch-facing interface. Any and all traffic from users on the impromptu wireless network will appear to the switch using the legitimate single MAC address allowed and the legitimate single associated IP address. Thus, all traffic will be allowed through.

I hope this has been helpful!

Laz

Just a quick real work question. Im wondering about the ramifications in a windows domain environment. If a host machine is booted i assume all traffic from machine is blocked prior to the login. I assume the windows SSO can also act as a 802.1X supplicant. If so then i get my windows logon AND network access at the same time ? How does this work in a scenario if one user logs off and a second logs on ? or if (in a windows 7+ environment a “switch user” is performed? Any light you can shed on how 802.1x works with AD login, login scripts group policy etc would be appreciated.

Thanks so much!

1 Like

Hello Edgar,

Good question. From the “network engineer” perspective, 802.1X is layer two authentication so how the operating system deals with it is a system engineer issue :grin:

You really need to dive into windows authentication to figure out how this exactly works.

Some items to consider:

  • When you provision a new machine, it has to join the domain so somehow it requires access to the domain. IAS/NPS probably supports a fallback VLAN so when authentication fails (it does because it’s a new machine), you can add it to a “provision” VLAN which allows access to the domain and provision it.

  • Another option is MAB. You could create a script that adds the MAC address automatically when you provision the new machine.

  • When you provision the machine, you can use a GPO to configure your 802.1x settings and enroll certificates.

  • You can enroll user or machine certificates. You could use the machine certificate to authenticate the computer with 802.1X and use the user account only for domain authentication. I believe when you do this, machine authentication works automatically before the user attempts to log in.

  • With SSO, the user credentials are used for 802.1X as well. I’m not sure how it works when you switch a user though…that’s something to test :slight_smile:

Rene

1 Like

Hi,
I’m working on setting up my switch to use 802.1x for user authentication on the switch along with port authentication for the end user/endpoints. I’m running 15.2(4) on my 2960x stack. I’ve gotten the switch user auth working but I’m struggling with the dynamic vlan port assignment. Logging says its trying to use Vlan 1 which is confusing me since in my radius server (Windows Server NPS) I’ve specified VLAN 23. Here is what I’ve configured thus far:

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/1
 description ***IT User Port***
 switchport mode access
 access-session host-mode multi-host
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge

!
radius server DC1
 address ipv4 10.0.3.35 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxxx
!
radius server DC2
 address ipv4 10.0.3.30 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxx
!

Then on my radius server I have the my switch added as a Radius Client.
I have have 2 network policies, one for Switch authentication per a security group giving level 15 access and a port auth group using the following settings, (edit: i cant add more than one image):

Conditions:
Windows group w/ NAS Port Type Ethernet

Constraints:
Microsoft: Protected EAP (PEAP) with the top 4 Less secure authentication methods checked

Settings:
Tunnel-Medium-Type - 802(includes all 802 media plus Ethernet canonical…)
Tunnel-Pvt-Group-ID - 23
Tunnel-Type - Virtual LANs (VLAN)

One last struggle is all the different ways to configure the port g1/0/1. With 15.2(4) there is allot of commands depreciated. For example Authentication is repalced with access-session. But not everything matches.

Anyways, any thoughts and feed back is appreciated.

Thanks,

Jon

Hello Jon

There are particular cases when a user is “defaulted” back to VLAN 1, or to the configured access VLAN on that particular port. According to Cisco, this can occur:

  • If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.

  • If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.

  • IEEE 802.1X authentication is disabled on the port.

  • The port is in the force authorized, force unauthorized, unauthorized, or shutdown state.

Because some of the commands have been deprecated, and because 802.1x Authentication with VLAN Assignment is not yet covered in full in the lessons, the best resource you can use is the following Cisco documentation:

Of particular interest to you is the flowchart at the following link from the above documentation, which indicates when a port will be Assigned to the VLAN configured in the RADIUS server and when it will be assigned to a guest VLAN.

I hope this has been helpful!

Laz

so would 802.1x stop a user from connecting a box from best buy that does NAT? As long as the eapol packets are sent from a host on the other side wouldn’t that defeat 802.1x?

1 Like

Hello Justin

If I understood your argument correctly, you mean connect something like an access point or a SOHO router to the port-security enabled switchport and have that device perform NAT, where all hosts connected to that device will communicate on the network via the 802.1x enabled port using a single MAC and IP address, thus defeating port security, correct?

Yes, this would “defeat” 802.1x if you had configured it to allow any single MAC address. However, you can configure it to allow only a particular MAC address, that of the only allowed workstation or device. In this case, if you were to unplug the workstation and plug in the SOHO router, the MAC is unrecognized, and 802.1x is activated.

There are quite a few parameters available that will allow you to certify that only those that are allowed to connect to a particular port will be able to use it. You can even set up remote authentication using a RADIUS server, where a password is required from the host to enable connectivity, something that a simple SOHO router using NAT could never compromise.

I hope this has been helpful!

Laz

1 Like

Hi,

Is possibile configure 802.1X authentication based on a smart-card access?

Or maybe after a kerberos authentication ?

Thanks

Hello Giovanni

Although I haven’t done it myself, doing a bit of research, I see that it has been done with smart-card access as well as with kerberos authentication.

There are cases where users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system, or using smart-cards, for both wired and wireless networks.

I hope this has been helpful!

Laz

Hi,
I can’t replicate these commands on my Switches with IOS 15.
IOS not recognize commands to apply aaa authentication on physical interfaces.
Can you help me?
Thanks

Hi

I found the root cause.
It was caused by my incorrect configuratiion at the interface level.

I found the solution here.
https://www.gns3.com/discussions/can-l2-iou-do-dot1x-port-control

But I still not replicate the lab.
Windows 10 not ask me for EAP credentials.

Can you help me?

Hello Giovanni

Can you be more specific about where the problem is you’re facing? Can you tell us which commands originally were not available and what alternative commands you tried using? That way we can take a closer look and help you out more effectively.

Looking forward to hearing from you!

Laz

HI,

I’ve reconfigured again my devices but commands explained in this lessons has been deprecated.

I configured the SW like this

aaa new-model
!
!
aaa authentication login MYAUTH group radius local
dot1x system-auth-control

radius server MYRADIUS
 address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
 key gns3
!
line vty 0 4
 login authentication MYAUTH

This configuration worked for telnet authentication on the device but it not work when I try to authenticate a client.

And also I’m not be able to configure windows 10 to authenticate with RADIUS server.

Is possible to update this lessons with the actual commands with an example of windows10 client authentication if it is changed?

Thanks

Hello Giovanni

@ReneMolenaar is continuously in the process of updating the content on NetworkLessons, for both the new exams, as well as keeping up with the changes in the IOS commands. Thanks for pointing this out, I will let Rene know to make a note of updating this content accordingly.

Thanks for the feedback!

Laz

Hi Giovanni,

I’ll create an updated example for this. Right now I’m working on the new CCNA material, which also covers AAA.

For the radius server, I’ll create and supply a freeradius docker container.

Rene

1 Like