802.1X Port-Based Authentication on Cisco Devices

In this blog post I’m going to describe the configuration commands needed to configure dot1x authentication, as well as the home lab I built to test the basic functionalities of 802.1X port-based authentication with Cisco switches and Cisco ISE.

802.1x Authentication Configuration on Cisco Switches

Here is the Cisco switch 802.1x configuration that worked for me in my home lab.

cisco-switch-802.1x-authentication-configuration
  • Line 131: activates AAA
  • lines 134 – 135: defining the Radius server group
  • Lines 164 – 166: defining the Radius server and the secret key.
  • Line 137: enables AAA dot1x authentication using the default method list, and using the Radius server group defined above.
  • Lines 142 – 150: this is the interface connected to the 802.1x supplicant. I put a generic access-list (default_acl) as a default ACL, in case the dACL feature does not work.

802.1x Port-based authentication Home lab topology

cisco-802-1x-port-based-authentication-home-lab-2017-08-06 23_36_39

Home lab constructs

  • EVE-NG
  • IOS images
    • one router, the image version does not matter
    • one switch with IOS 15.x
    • vPC, come built-in within EVE-NG
    • Windows 7 Lite: check this article for all details about Windows 7 Lite for Unetlab.
  • Cisco ISE 2.0.0.306
  • Vmware Workstation 12 Pro

A Note about the switch IOS image

You probably know, there’s a wish among network engineers to have an emulation tool for switches, that can emulate 100% of the switching features. In this home lab I tested with both of these IOS images:

  • Cisco IOL i86bi-linux-l2-adventerprisek9-15.6
  • Cisco vIOSl2-15.2

the vIOSl2 comes with more commands. But during the 802.1x port-based authentication rumblings, I spent almost all 3 days (and nights) to figure out what was not working. Story made short, I still did not manage to “manifest” the dACL feature. And I suggest you go with the IOL version.

Home lab router configuration

  • DHCP server is configured on the router to serve the subnet 10.2.0.0/16, using a DHCP pool. Don’t forget the IP dhcp excluded addresses, including the switch SVI
  • multiple subinterfaces, to serve as gateways for the subnets. Although I could use a layer 3 switch and make SVIs, I wanted to experiment the thing with a router too.
  • the router is linked to the switch via a trunk
  • the router plays the gateway for ISE. And it connects to ISE through Vmnet2 cloud. Vmnet2 maps to Pcnet 2 in EVE-NG.

Home lab switch configuration

  • vlans 1, 13-15 are configured. Vlan 1 is the native VLAN. SVI 1 is used as a source interface for Radius traffic
  • all configured interfaces are in access mode, except the link with the router.
  • interface E0/2 is not configured with a VLAN id. That’s necessary to demonstrate the power of ISE policies and dynamic VLAN assignment.
  • the switch is a 802.1x authenticator

Home lab ISE configuration

Home lab Windows Lite configuration

  • the Windows Lite computer is the 802.1x supplicant. Its NIC card is 802.1x enabled. 
  • its IP information is set to DHCP

Comments

Post a Comment

Popular posts from this blog

Call Forward And Call Hunt on CUCM

Image
Call forwarding is one of the features of the call coverage in Cisco CUCM. Call Hunting is when CUCM distributes a call on more than one Directory Number (DN), whether consecutively or simultaneously, depending on the algorithm. Hunt Pilot A Hunt Pilot is the entry point for the whole call hunting process. It is hit by a Call. The Hunt Pilot number is a dialable entity and has many similarities with Route Patterns : We can configure Route Filters with Hunt Pilots, Hunt Pilots can Provide Outside Dial Tone , We can set Hunt Pilots with the Urgent Priority flag, They can route or block calls, They can apply Calling and Called Party Transformations. Hunt Lists After hitting the Hunt Pilot, the call is presented by CUCM to the Hunt List. Each Hunt List contains one or more ordered Line Groups. A Hunt List can be pointed by one or more Hunt Pilots. Line Groups Each Line Group contains one or more member (we’ll refer to them as Hunt members, hunt parties or Line Group members). A Line Grou...
Read more

Show Voice DSP Commands On Cisco IOS Gateways

Image
This article is a series of IOS commands that deal with DSPs and PVDMs. To determine the type of PVDM in your router:  show inventory Our router is using PVDM3-64. “show voice dsp”, “show voice dsp active” and “show voice dsp voice” “show voice dsp voice” For example, if you have a PVDM3-64 voice card, and you do a “show voice dsp voice”, you’ll get 64 lines, which correspond to 64 DSP voice channels. That’s the maximum allowed with this type of cards. Here is the output of the “show voice dsp voice” command, on a voice gateway: You notice that some channels are “busy” while other are “idle”. We’ve got 64 entries, so all channels of this DSP are used in voice termination. “show voice dsp” and “show voice dsp active” What if we want to see only active DSP voice channels? We can get that information with the command “show voice dsp” or ...
Read more

IOS Commands To Verify Voice Ports

Image
show voice port “show voice port” displays verbose information about all the voice ports on a voice gateway. Let’s examine “show voice port” on a E1 PRI gateway: On this gateway, we have two E1 PRI trunks, thus two voice ports. Each voice port is in the form “slot/subunit/port:signaling channel”. In the table that comes after each displayed voice port, we have 31 lines. These are the available channels on each PRI link. Notice that the column “CH” refers to timeslot, and not the channel. The 16th timeslot carries the 15th channel, which is the signaling channel (D channel). show voice port summary This command lists the voice ports and their timeslots combined into one table.  
Read more