Tag Archives: 802.1x

Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

 

Software/Hardware Used:
Cisco Catalyst 3560 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading Configuring Wired 802.1x/MAB Authentication with Cisco ISE

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Continue reading Configuring Dynamic VLAN assignment on ProCurve switches

Configuring 802.1x authentication on ProCurve Switches

802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server.

Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily ignores the ports static VLAN configuration and places the port in the “Un-Authorized” VLAN at which point the client will attempt authentication, if successful the port will dynamically place the port in the “Authorized” VLAN.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configuring the switch

Create the “Authorized” VLAN, define IP address and IP helper-address

VLAN 30

name “Auth”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

Create the “Un-Authorized” VLAN, define IP address and IP helper-address

VLAN 40

name “Un-Auth”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20


Continue reading Configuring 802.1x authentication on ProCurve Switches

Configuring 802.1x authentication on Cisco Catalyst switches

This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed.

Configuring the Switch

Switch# configure terminal
Switch(config)# aaa new-model
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end 

Configuring the RADIUS Server

  • Open the “Network Policy Server” MMC console
  • Click “Policies” > “Network Policies”
  • Create a new “Network Policy” with a descriptive name e.g. “dot1x Authentication Policy”. Click Next
  • “Specify Condition”, click Add and select the “Machine Groups” option, add the “Domain Computers” group. Click Next
  • “Access Granted”, ensure “Access granted” is select. Click Next
  • “Constraints”, select “Authentication Methods”. For “EAP Types” click Add and select “Microsoft: Protected EAP (PEAP). Click Next


Continue reading Configuring 802.1x authentication on Cisco Catalyst switches

Configuring a Cisco Switch for AAA with Windows NPS RADIUS

This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.

Configuring the Switch

The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS

Configuring the Windows RADIUS Server

Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.

  • Open the NPS console and select “RADIUS Clients”
  • Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
  • Once completed click OK
  • Select “Policies” > “Network Policies”
  • Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
  • Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
  • “Specify Access Permission” as “Granted”
  • “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
  • “Configure Contraints”, nothing to configure. Click Next
  • “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
  • Add a new attribute of “Service Type” and a value of “Login”
  • “Configure Settings”, select “Vendor Specific”
  • Click “Add”, select “Cisco” from the drop down box
  • Click “Add” and click “Add” again

Continue reading Configuring a Cisco Switch for AAA with Windows NPS RADIUS