AAA and 802.1X Authentication

This topic is to discuss the following lesson:

What’s the name of the follow-up lesson? “In another lesson I will give you a configuration example how to implement this on a Cisco Catalyst Switch.”

Or does it not yet exist?

Hi Tim,

I just added a link in the lesson, or you can use this one:

AAA Configuration on Cisco Catalyst Switch

Rene

Radius and tacacs are used to authenticate user for only management of intermediary device ,or to access at intranet domain and my be go out to internet??

Hi Francesco,

We use RADIUS and TACACS+ for both user authentication and management. For example, with wireless networks we use RADIUS for user authentication (WPA2-enterprise). This allows us to use client and server certificates and it’s a far more secure solution than using pre-shared keys only.

For network management, it’s useful since you can centralize all your authentication instead of creating usernames/passwords on each and every router, switch, firewall, etc on your network.

It’s used on local networks, the only time you might use it on the Internet is if you have a branch office and you want to use the RADIUS/TACACS+ server on the main site. In that case, you would use a VPN tunnel.

Rene

Hi Rene,
Which’s standard of RFC that I can follow when learning the TACACS+?
Many thanks!

Hello Thinh

The original TACACS is defined in RFC 1492 as it is an open IETF standard. TACACS+ however was developed by Cisco so it has no corresponding RFC. Cisco developed it as an open standard so many vendors can and do use it.

There is however a Cisco RFC TACACS+ Draft available on the IETF web site that you can check out. There are also additional drafts that have been added, the most recent of which can be found here.

I hope this has been helpful!

Laz

1 Like

oh, thank you so much, i looked it out :slight_smile:

1 Like

Hello

Can you please explain what you mean at the beginning of the lesson, that port security cannot prevent the connection of a Wi-Fi router to the switch? Could not we just configure the switch to accept only specific MAC addresses on its interfaces via port security? How is NAT also affecting the whole process? Thank you in advance!

Regards
Markos

Hello Markos

Using port security we can do several things. We can restrict the use of a switch port to only one specific preconfigured MAC address or we can specify that only a single MAC address should be seen to be using this port. We can even use IP source guard to determine which will be the allowed source IP address that can use the interface, even on an L2 switch.

The first case will allow us to lock the port down such that only a specific computer having a specific MAC address can connect to that port. If this were implemented, then port security would indeed block the use of an access point. It would actually block the use of ANY device other than the computer with the specified MAC address. However, this port security scheme is not used that often because it has a very large administrative overhead, especially in environments where many moves adds and changes take place.

The more common port security scenario, and the one that Rene is referring to in this lesson, is when port security is implemented so that only a single MAC address will be allowed on a port of a switch. This prevents users from bringing their own switches and connecting multiple devices to it because each of those devices will send a different source MAC address to the switch and will trigger the port security threshold. Additional port security scenarios include the use of IP source guard where packets from the specific IP address associated with the single allowed MAC address will only be permitted and all other hosts will be rejected.

These port security features cannot be used to prevent the use of a rogue access point because the access point will create a separate subnet for its wireless users and it will use NAT to translate all of those users to a single IP address for the switch-facing interface. Any and all traffic from users on the impromptu wireless network will appear to the switch using the legitimate single MAC address allowed and the legitimate single associated IP address. Thus, all traffic will be allowed through.

I hope this has been helpful!

Laz

Just a quick real work question. Im wondering about the ramifications in a windows domain environment. If a host machine is booted i assume all traffic from machine is blocked prior to the login. I assume the windows SSO can also act as a 802.1X supplicant. If so then i get my windows logon AND network access at the same time ? How does this work in a scenario if one user logs off and a second logs on ? or if (in a windows 7+ environment a “switch user” is performed? Any light you can shed on how 802.1x works with AD login, login scripts group policy etc would be appreciated.

Thanks so much!

Hello Edgar,

Good question. From the “network engineer” perspective, 802.1X is layer two authentication so how the operating system deals with it is a system engineer issue :grin:

You really need to dive into windows authentication to figure out how this exactly works.

Some items to consider:

  • When you provision a new machine, it has to join the domain so somehow it requires access to the domain. IAS/NPS probably supports a fallback VLAN so when authentication fails (it does because it’s a new machine), you can add it to a “provision” VLAN which allows access to the domain and provision it.

  • Another option is MAB. You could create a script that adds the MAC address automatically when you provision the new machine.

  • When you provision the machine, you can use a GPO to configure your 802.1x settings and enroll certificates.

  • You can enroll user or machine certificates. You could use the machine certificate to authenticate the computer with 802.1X and use the user account only for domain authentication. I believe when you do this, machine authentication works automatically before the user attempts to log in.

  • With SSO, the user credentials are used for 802.1X as well. I’m not sure how it works when you switch a user though…that’s something to test :slight_smile:

Rene

Hi,
I’m working on setting up my switch to use 802.1x for user authentication on the switch along with port authentication for the end user/endpoints. I’m running 15.2(4) on my 2960x stack. I’ve gotten the switch user auth working but I’m struggling with the dynamic vlan port assignment. Logging says its trying to use Vlan 1 which is confusing me since in my radius server (Windows Server NPS) I’ve specified VLAN 23. Here is what I’ve configured thus far:

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/1
 description ***IT User Port***
 switchport mode access
 access-session host-mode multi-host
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge

!
radius server DC1
 address ipv4 10.0.3.35 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxxx
!
radius server DC2
 address ipv4 10.0.3.30 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxx
!

Then on my radius server I have the my switch added as a Radius Client.
I have have 2 network policies, one for Switch authentication per a security group giving level 15 access and a port auth group using the following settings, (edit: i cant add more than one image):

Conditions:
Windows group w/ NAS Port Type Ethernet

Constraints:
Microsoft: Protected EAP (PEAP) with the top 4 Less secure authentication methods checked

Settings:
Tunnel-Medium-Type - 802(includes all 802 media plus Ethernet canonical…)
Tunnel-Pvt-Group-ID - 23
Tunnel-Type - Virtual LANs (VLAN)

One last struggle is all the different ways to configure the port g1/0/1. With 15.2(4) there is allot of commands depreciated. For example Authentication is repalced with access-session. But not everything matches.

Anyways, any thoughts and feed back is appreciated.

Thanks,

Jon

Hello Jon

There are particular cases when a user is “defaulted” back to VLAN 1, or to the configured access VLAN on that particular port. According to Cisco, this can occur:

  • If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.

  • If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.

  • IEEE 802.1X authentication is disabled on the port.

  • The port is in the force authorized, force unauthorized, unauthorized, or shutdown state.

Because some of the commands have been deprecated, and because 802.1x Authentication with VLAN Assignment is not yet covered in full in the lessons, the best resource you can use is the following Cisco documentation:

Of particular interest to you is the flowchart at the following link from the above documentation, which indicates when a port will be Assigned to the VLAN configured in the RADIUS server and when it will be assigned to a guest VLAN.

I hope this has been helpful!

Laz

so would 802.1x stop a user from connecting a box from best buy that does NAT? As long as the eapol packets are sent from a host on the other side wouldn’t that defeat 802.1x?

1 Like

Hello Justin

If I understood your argument correctly, you mean connect something like an access point or a SOHO router to the port-security enabled switchport and have that device perform NAT, where all hosts connected to that device will communicate on the network via the 802.1x enabled port using a single MAC and IP address, thus defeating port security, correct?

Yes, this would “defeat” 802.1x if you had configured it to allow any single MAC address. However, you can configure it to allow only a particular MAC address, that of the only allowed workstation or device. In this case, if you were to unplug the workstation and plug in the SOHO router, the MAC is unrecognized, and 802.1x is activated.

There are quite a few parameters available that will allow you to certify that only those that are allowed to connect to a particular port will be able to use it. You can even set up remote authentication using a RADIUS server, where a password is required from the host to enable connectivity, something that a simple SOHO router using NAT could never compromise.

I hope this has been helpful!

Laz

1 Like

Hi,

Is possibile configure 802.1X authentication based on a smart-card access?

Or maybe after a kerberos authentication ?

Thanks

Hello Giovanni

Although I haven’t done it myself, doing a bit of research, I see that it has been done with smart-card access as well as with kerberos authentication.

There are cases where users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system, or using smart-cards, for both wired and wireless networks.

I hope this has been helpful!

Laz