AAA and 802.1X Authentication

Hello

Can you please explain what you mean at the beginning of the lesson, that port security cannot prevent the connection of a Wi-Fi router to the switch? Could not we just configure the switch to accept only specific MAC addresses on its interfaces via port security? How is NAT also affecting the whole process? Thank you in advance!

Regards
Markos

Hello Markos

Using port security we can do several things. We can restrict the use of a switch port to only one specific preconfigured MAC address or we can specify that only a single MAC address should be seen to be using this port. We can even use IP source guard to determine which will be the allowed source IP address that can use the interface, even on an L2 switch.

The first case will allow us to lock the port down such that only a specific computer having a specific MAC address can connect to that port. If this were implemented, then port security would indeed block the use of an access point. It would actually block the use of ANY device other than the computer with the specified MAC address. However, this port security scheme is not used that often because it has a very large administrative overhead, especially in environments where many moves adds and changes take place.

The more common port security scenario, and the one that Rene is referring to in this lesson, is when port security is implemented so that only a single MAC address will be allowed on a port of a switch. This prevents users from bringing their own switches and connecting multiple devices to it because each of those devices will send a different source MAC address to the switch and will trigger the port security threshold. Additional port security scenarios include the use of IP source guard where packets from the specific IP address associated with the single allowed MAC address will only be permitted and all other hosts will be rejected.

These port security features cannot be used to prevent the use of a rogue access point because the access point will create a separate subnet for its wireless users and it will use NAT to translate all of those users to a single IP address for the switch-facing interface. Any and all traffic from users on the impromptu wireless network will appear to the switch using the legitimate single MAC address allowed and the legitimate single associated IP address. Thus, all traffic will be allowed through.

I hope this has been helpful!

Laz

Just a quick real work question. Im wondering about the ramifications in a windows domain environment. If a host machine is booted i assume all traffic from machine is blocked prior to the login. I assume the windows SSO can also act as a 802.1X supplicant. If so then i get my windows logon AND network access at the same time ? How does this work in a scenario if one user logs off and a second logs on ? or if (in a windows 7+ environment a “switch user” is performed? Any light you can shed on how 802.1x works with AD login, login scripts group policy etc would be appreciated.

Thanks so much!

1 Like

Hello Edgar,

Good question. From the “network engineer” perspective, 802.1X is layer two authentication so how the operating system deals with it is a system engineer issue :grin:

You really need to dive into windows authentication to figure out how this exactly works.

Some items to consider:

  • When you provision a new machine, it has to join the domain so somehow it requires access to the domain. IAS/NPS probably supports a fallback VLAN so when authentication fails (it does because it’s a new machine), you can add it to a “provision” VLAN which allows access to the domain and provision it.

  • Another option is MAB. You could create a script that adds the MAC address automatically when you provision the new machine.

  • When you provision the machine, you can use a GPO to configure your 802.1x settings and enroll certificates.

  • You can enroll user or machine certificates. You could use the machine certificate to authenticate the computer with 802.1X and use the user account only for domain authentication. I believe when you do this, machine authentication works automatically before the user attempts to log in.

  • With SSO, the user credentials are used for 802.1X as well. I’m not sure how it works when you switch a user though…that’s something to test :slight_smile:

Rene

1 Like

Hi,
I’m working on setting up my switch to use 802.1x for user authentication on the switch along with port authentication for the end user/endpoints. I’m running 15.2(4) on my 2960x stack. I’ve gotten the switch user auth working but I’m struggling with the dynamic vlan port assignment. Logging says its trying to use Vlan 1 which is confusing me since in my radius server (Windows Server NPS) I’ve specified VLAN 23. Here is what I’ve configured thus far:

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/1
 description ***IT User Port***
 switchport mode access
 access-session host-mode multi-host
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge

!
radius server DC1
 address ipv4 10.0.3.35 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxxx
!
radius server DC2
 address ipv4 10.0.3.30 auth-port 1812 acct-port 1813
 key 7 xxxxxxxxxx
!

Then on my radius server I have the my switch added as a Radius Client.
I have have 2 network policies, one for Switch authentication per a security group giving level 15 access and a port auth group using the following settings, (edit: i cant add more than one image):

Conditions:
Windows group w/ NAS Port Type Ethernet

Constraints:
Microsoft: Protected EAP (PEAP) with the top 4 Less secure authentication methods checked

Settings:
Tunnel-Medium-Type - 802(includes all 802 media plus Ethernet canonical…)
Tunnel-Pvt-Group-ID - 23
Tunnel-Type - Virtual LANs (VLAN)

One last struggle is all the different ways to configure the port g1/0/1. With 15.2(4) there is allot of commands depreciated. For example Authentication is repalced with access-session. But not everything matches.

Anyways, any thoughts and feed back is appreciated.

Thanks,

Jon

Hello Jon

There are particular cases when a user is “defaulted” back to VLAN 1, or to the configured access VLAN on that particular port. According to Cisco, this can occur:

  • If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.

  • If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.

  • IEEE 802.1X authentication is disabled on the port.

  • The port is in the force authorized, force unauthorized, unauthorized, or shutdown state.

Because some of the commands have been deprecated, and because 802.1x Authentication with VLAN Assignment is not yet covered in full in the lessons, the best resource you can use is the following Cisco documentation:

Of particular interest to you is the flowchart at the following link from the above documentation, which indicates when a port will be Assigned to the VLAN configured in the RADIUS server and when it will be assigned to a guest VLAN.

I hope this has been helpful!

Laz

so would 802.1x stop a user from connecting a box from best buy that does NAT? As long as the eapol packets are sent from a host on the other side wouldn’t that defeat 802.1x?

1 Like

Hello Justin

If I understood your argument correctly, you mean connect something like an access point or a SOHO router to the port-security enabled switchport and have that device perform NAT, where all hosts connected to that device will communicate on the network via the 802.1x enabled port using a single MAC and IP address, thus defeating port security, correct?

Yes, this would “defeat” 802.1x if you had configured it to allow any single MAC address. However, you can configure it to allow only a particular MAC address, that of the only allowed workstation or device. In this case, if you were to unplug the workstation and plug in the SOHO router, the MAC is unrecognized, and 802.1x is activated.

There are quite a few parameters available that will allow you to certify that only those that are allowed to connect to a particular port will be able to use it. You can even set up remote authentication using a RADIUS server, where a password is required from the host to enable connectivity, something that a simple SOHO router using NAT could never compromise.

I hope this has been helpful!

Laz

1 Like

Hi,

Is possibile configure 802.1X authentication based on a smart-card access?

Or maybe after a kerberos authentication ?

Thanks

Hello Giovanni

Although I haven’t done it myself, doing a bit of research, I see that it has been done with smart-card access as well as with kerberos authentication.

There are cases where users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system, or using smart-cards, for both wired and wireless networks.

I hope this has been helpful!

Laz

Hi,
I can’t replicate these commands on my Switches with IOS 15.
IOS not recognize commands to apply aaa authentication on physical interfaces.
Can you help me?
Thanks

Hi

I found the root cause.
It was caused by my incorrect configuratiion at the interface level.

I found the solution here.
https://www.gns3.com/discussions/can-l2-iou-do-dot1x-port-control

But I still not replicate the lab.
Windows 10 not ask me for EAP credentials.

Can you help me?

Hello Giovanni

Can you be more specific about where the problem is you’re facing? Can you tell us which commands originally were not available and what alternative commands you tried using? That way we can take a closer look and help you out more effectively.

Looking forward to hearing from you!

Laz

HI,

I’ve reconfigured again my devices but commands explained in this lessons has been deprecated.

I configured the SW like this

aaa new-model
!
!
aaa authentication login MYAUTH group radius local
dot1x system-auth-control

radius server MYRADIUS
 address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
 key gns3
!
line vty 0 4
 login authentication MYAUTH

This configuration worked for telnet authentication on the device but it not work when I try to authenticate a client.

And also I’m not be able to configure windows 10 to authenticate with RADIUS server.

Is possible to update this lessons with the actual commands with an example of windows10 client authentication if it is changed?

Thanks

Hello Giovanni

@ReneMolenaar is continuously in the process of updating the content on NetworkLessons, for both the new exams, as well as keeping up with the changes in the IOS commands. Thanks for pointing this out, I will let Rene know to make a note of updating this content accordingly.

Thanks for the feedback!

Laz

Hi Giovanni,

I’ll create an updated example for this. Right now I’m working on the new CCNA material, which also covers AAA.

For the radius server, I’ll create and supply a freeradius docker container.

Rene

1 Like

Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .

Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?

In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?

Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.

Hello Harshi

TACACS+ and RADIUS are two different families of protocols that perform similar functions. Some details about each:

  • TACACS+ is Cisco proprietary but started out as an authentication for UNIX systems in the 1980s
  • TACACS+ can be run on a VM, and there are versions that can be run on Windows as well
  • TACACS+ uses TCP
  • RADIUS is a protocol standardized by the IETF
  • RADIUS can run on most Linux and Windows platforms
  • RADIUS uses UDP by default but can also be configured to use TCP

Both fundamentally do the same thing but each has some specialisations that the other may not cover. As far as ISE goes, it uses TACACS+ for network device management and auditing, but it also supports RADIUS for standard AAA services and integrates with external RADIUS servers as well. You can find more info about ISE at this Cisco Datasheet.

As far as RADIUS and TACACS+ clients go, these can be any devices, either network devices or hosts, that support these protocols. The vast majority of consumer grade devices will support RADIUS, but a smaller, but substantial subset will also support TACACS+.

In a configuration similar to that in the lesson, the windows PC is the supplicant, the authenticator is the switch, and the authentication server is the external TACACS+/RADIUS server. So the authenticator will do the authentication, but will use the credential information found in the database of the authentication server to authenticate or deny the supplicant. However, if you configure the switch to have the local database as a backup, the role of the authentication server will be taken over by the switch in the event of a failure in communication with the authentication server.

So authentication is done locally at the switch with the response from the server.

I hope this has been helpful!

Laz

thanks for much detailed explanation.
1)I have seen cipher configured on ISE in some examples, does ISE play role of authenticator here bypassing the authenticator, which is a cisco switch ?
2) in a regular environment, where is centralized RADIUS server configured ? I know 2012 windows server can act as Active directory with LDAP for storing account credentials, where do RADIUS servers and TACACS+ servers reside ? do they reside on Linux boxes or some special products

Hello Harshi

If you employ the use of an ISE device, it plays the role of the authentication server. The authentication takes place at the switch. It is the only place that it can take place, because that’s where the physical port for which authentication takes place resides. The switch will query the ISE (authentication server) and respond by either enabling or disabling access itself (which is the authenticator, the switch itself.)

A RADIUS server (or any type of authentication server) can reside anywhere you like as long as the authenticator has network access to the authentication server to query it. Usually, the authentication server will exist on some Windows or Linux server on the enterprise’s datacentre, if it exists, either as a physical device or as a VM. But there is no limitation to where it will be. The only thing that is necessary is network connectivity from the authenticator to the authentication server.

I hope this has been helpful!

Laz