AAA and 802.1X Authentication

Hello Giovanni

Can you be more specific about where the problem is you’re facing? Can you tell us which commands originally were not available and what alternative commands you tried using? That way we can take a closer look and help you out more effectively.

Looking forward to hearing from you!

Laz

HI,

I’ve reconfigured again my devices but commands explained in this lessons has been deprecated.

I configured the SW like this

aaa new-model
!
!
aaa authentication login MYAUTH group radius local
dot1x system-auth-control

radius server MYRADIUS
 address ipv4 192.168.1.101 auth-port 1812 acct-port 1813
 key gns3
!
line vty 0 4
 login authentication MYAUTH

This configuration worked for telnet authentication on the device but it not work when I try to authenticate a client.

And also I’m not be able to configure windows 10 to authenticate with RADIUS server.

Is possible to update this lessons with the actual commands with an example of windows10 client authentication if it is changed?

Thanks

Hello Giovanni

@ReneMolenaar is continuously in the process of updating the content on NetworkLessons, for both the new exams, as well as keeping up with the changes in the IOS commands. Thanks for pointing this out, I will let Rene know to make a note of updating this content accordingly.

Thanks for the feedback!

Laz

Hi Giovanni,

I’ll create an updated example for this. Right now I’m working on the new CCNA material, which also covers AAA.

For the radius server, I’ll create and supply a freeradius docker container.

Rene

1 Like

Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .

Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?

In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?

Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.

1 Like

Hello Harshi

TACACS+ and RADIUS are two different families of protocols that perform similar functions. Some details about each:

  • TACACS+ is Cisco proprietary but started out as an authentication for UNIX systems in the 1980s
  • TACACS+ can be run on a VM, and there are versions that can be run on Windows as well
  • TACACS+ uses TCP
  • RADIUS is a protocol standardized by the IETF
  • RADIUS can run on most Linux and Windows platforms
  • RADIUS uses UDP by default but can also be configured to use TCP

Both fundamentally do the same thing but each has some specialisations that the other may not cover. As far as ISE goes, it uses TACACS+ for network device management and auditing, but it also supports RADIUS for standard AAA services and integrates with external RADIUS servers as well. You can find more info about ISE at this Cisco Datasheet.

As far as RADIUS and TACACS+ clients go, these can be any devices, either network devices or hosts, that support these protocols. The vast majority of consumer grade devices will support RADIUS, but a smaller, but substantial subset will also support TACACS+.

In a configuration similar to that in the lesson, the windows PC is the supplicant, the authenticator is the switch, and the authentication server is the external TACACS+/RADIUS server. So the authenticator will do the authentication, but will use the credential information found in the database of the authentication server to authenticate or deny the supplicant. However, if you configure the switch to have the local database as a backup, the role of the authentication server will be taken over by the switch in the event of a failure in communication with the authentication server.

So authentication is done locally at the switch with the response from the server.

I hope this has been helpful!

Laz

1 Like

thanks for much detailed explanation.
1)I have seen cipher configured on ISE in some examples, does ISE play role of authenticator here bypassing the authenticator, which is a cisco switch ?
2) in a regular environment, where is centralized RADIUS server configured ? I know 2012 windows server can act as Active directory with LDAP for storing account credentials, where do RADIUS servers and TACACS+ servers reside ? do they reside on Linux boxes or some special products

Hello Harshi

If you employ the use of an ISE device, it plays the role of the authentication server. The authentication takes place at the switch. It is the only place that it can take place, because that’s where the physical port for which authentication takes place resides. The switch will query the ISE (authentication server) and respond by either enabling or disabling access itself (which is the authenticator, the switch itself.)

A RADIUS server (or any type of authentication server) can reside anywhere you like as long as the authenticator has network access to the authentication server to query it. Usually, the authentication server will exist on some Windows or Linux server on the enterprise’s datacentre, if it exists, either as a physical device or as a VM. But there is no limitation to where it will be. The only thing that is necessary is network connectivity from the authenticator to the authentication server.

I hope this has been helpful!

Laz

Hi Lazaros the AAA lesson has me really confused how do we know the right ports in the example and what would be a simple command breakdown for setting up aaa and using it with enable and ssh?

Hello Daniel

This command allows you to specify the radius server. You must specify an IP address, but if you don’t specify the auth-port and the acct-port, the default values are 1645 and 1646 respectively as seen in this Cisco command reference. Now according to the IETF and in RFCs 2865 and 2866, RADIUS uses 1812 and 1813 but many systems use the 1645 and 1646 as defaults. In any case, you must use the ports configured on your RADIUS server, and in the lesson, these are the ports used by the Elecktron Radius server.

For configurations that use AAA for various command authorizations, take a look at the following lesson:

For SSH authentication using AAA, you may find this Cisco Community thread useful.

I hope this has been helpful!

Laz

1 Like

Hello Rene,
I love the example on the how to install/use freeradius, I am currently testing the freeradius and AAA on the switch . It seems to work fine…
do you have anythoughts on this log output?

" 06549378 cms: ssk:28147609.860:zhnPae_bindVlan:2123:The Radius server requested eth2 membership to non existant vlan default_802.1x (-1)."

Hello Temitope

One of the things that 802.1X is capable of doing is instructing the switch not only to provide access to a host on a particular port, but also to define the VLAN on which that port will operate. This is useful as you can configure the RADIUS server to enable particular VLANs on specific access ports based on the authentication credentials of the host. That way you can predefine which VLAN each user will have access to.

One of the prerequisites for this to function correctly is that the VLAN to which a particular host is to be assigned must exist on the switch.

Based on this particular error message, it seems that the RADIUS server was attempting to assign a VLAN to the access port of that particular host to a VLAN that does not exist.

Can you share with us the context of this particular error message? Does this explanation fit well with the specific scenario that you see this error message appear? Let us know…

I hope this has been helpful!

Laz

This has been so helpful. the explanation fits so well.Following your lesson, i had a free radius setup and and GPON-ZHONE switch as the authenticator.I got the log message on the ZNID each time.

Very Respectfully,
temi

1 Like

Hi . Quick question . I am changing the IP Schema with OLD VLAN not the same as NEW VLAN on a small branch site and i would like to know how i would be migrating the User IP address to use NEW IP SUBNETS with 802.1x enabled switch

Hello Venus

Keep in mind that 802.1X is a purely Layer 2 mechanism. the EAPoL protocol that is used from the supplicant to the authenticator occurs independently of any IP addressing scheme. Changing the IP addressing scheme of the clients that use the 802.1X feature will not affect the AAA operation.

The only IP connectivity that is necessary is between the Authenticator (the switch in the case of the lesson topology) and the authentication server running RADIUS or TACACS+. If the IP addresses on networks between these devices have changed, make sure that IP communication is restored before attempting to authentication any supplicants.

I hope this has been helpful!

Laz

Hello, everyone!

I have a question regarding this:

Network users might bring their own wireless router from home and connect it to the switch so they can share wireless internet with all their colleagues. An access point like this is called a rogue access point and this is something you DON’T want to see on your network. It’s hard to detect because on the switch you’ll only see one MAC address. The router is doing NAT so you will only see one IP address, this is something you can’t prevent with port security. One way of dealing with issues like this is to use AAA.

I am wondering. If the network users have been provided with the necessary credentials to access the network and pass the AAA check, what prevents them from using the same credentials for the Wireless Router? Couldn’t they just use the same username/password to authenticate the router itself?

Thank you in advance for your help.

David

Hello David

Yes, assuming the wireless router/AP supports 802.1X authentication, you can use the credentials you are given for your PC to connect to the network. But AAA gives you many more options for authenticating devices on a network using 802.1X. For example, you can configure the AAA server so that only one instance of the user can be used at any time. So if you’re already logged in using your PC, you can’t use the same credentials for the router/AP. Sure, you can unplug your PC and plug in the router/AP, but not both.

To resolve this, with AAA you can also specify the MAC address that is allowed on a particular port. So even if you put in your correct credentials, the MAC address of your router/AP will be disallowed.

So you can resolve the security issues due to the fact that you have much more control over many more factors of authentication.

I hope this has been helpful!

Laz

Hello, everyone!

In the following commands

aaa accounting commands 15 default start-stop/stop-only group tacacs+
aaa accounting exec default start-stop/stop-only group tacacs+

What would be the difference between **start-stop ** and stop-only? I didn’t manage to find a satisfying explanation online, especially not for stop-only.

Thank you!

David

Hello David,

The difference between start-stop and stop-only in the commands you provided lies in when the accounting records are sent to the AAA server.

start-stop: This method sends an accounting record at the start and end of each process. The “start” record is sent at the beginning of the process, indicating that the process has begun. The “stop” record is sent at the end of the process, indicating that the process has ended.

stop-only: This method sends an accounting record only at the end of each process. There is no “start” record sent at the beginning of the process. This means that the AAA server only receives a notice when the process ends.

The choice between the two depends on your specific requirements for tracking and recording network activity. If you only need to know when a process has ended, stop-only should suffice. But if you need to track the entire lifecycle of a process, from start to finish, you would use start-stop.

More information can be found at this Cisco command reference:

I hope this has been helpful!

Laz

Hello, everyone.

What’s the difference between 802.1x and NAC? My understanding is that these are two separate components where 802.1x provides port-based access control and NAC provides a system check but I am not sure if this is entirely correct. This is what google says
obrázok

So can NAC also do the same as 802.1x with the addition of system checks or how does this work?

Thank you.

David