802.1X Port-Based Authentication on Cisco Devices

In this blog post I’m going to describe the configuration commands needed to configure dot1x authentication, as well as the home lab I built to test the basic functionalities of 802.1X port-based authentication with Cisco switches and Cisco ISE.

802.1x Authentication Configuration on Cisco Switches

Here is the Cisco switch 802.1x configuration that worked for me in my home lab.

cisco-switch-802.1x-authentication-configuration
  • Line 131: activates AAA
  • lines 134 – 135: defining the Radius server group
  • Lines 164 – 166: defining the Radius server and the secret key.
  • Line 137: enables AAA dot1x authentication using the default method list, and using the Radius server group defined above.
  • Lines 142 – 150: this is the interface connected to the 802.1x supplicant. I put a generic access-list (default_acl) as a default ACL, in case the dACL feature does not work.

802.1x Port-based authentication Home lab topology

cisco-802-1x-port-based-authentication-home-lab-2017-08-06 23_36_39

Home lab constructs

  • EVE-NG
  • IOS images
    • one router, the image version does not matter
    • one switch with IOS 15.x
    • vPC, come built-in within EVE-NG
    • Windows 7 Lite: check this article for all details about Windows 7 Lite for Unetlab.
  • Cisco ISE 2.0.0.306
  • Vmware Workstation 12 Pro

A Note about the switch IOS image

You probably know, there’s a wish among network engineers to have an emulation tool for switches, that can emulate 100% of the switching features. In this home lab I tested with both of these IOS images:

  • Cisco IOL i86bi-linux-l2-adventerprisek9-15.6
  • Cisco vIOSl2-15.2

the vIOSl2 comes with more commands. But during the 802.1x port-based authentication rumblings, I spent almost all 3 days (and nights) to figure out what was not working. Story made short, I still did not manage to “manifest” the dACL feature. And I suggest you go with the IOL version.

Home lab router configuration

  • DHCP server is configured on the router to serve the subnet 10.2.0.0/16, using a DHCP pool. Don’t forget the IP dhcp excluded addresses, including the switch SVI
  • multiple subinterfaces, to serve as gateways for the subnets. Although I could use a layer 3 switch and make SVIs, I wanted to experiment the thing with a router too.
  • the router is linked to the switch via a trunk
  • the router plays the gateway for ISE. And it connects to ISE through Vmnet2 cloud. Vmnet2 maps to Pcnet 2 in EVE-NG.

Home lab switch configuration

  • vlans 1, 13-15 are configured. Vlan 1 is the native VLAN. SVI 1 is used as a source interface for Radius traffic
  • all configured interfaces are in access mode, except the link with the router.
  • interface E0/2 is not configured with a VLAN id. That’s necessary to demonstrate the power of ISE policies and dynamic VLAN assignment.
  • the switch is a 802.1x authenticator

Home lab ISE configuration

Home lab Windows Lite configuration

  • the Windows Lite computer is the 802.1x supplicant. Its NIC card is 802.1x enabled. 
  • its IP information is set to DHCP

Comments

Post a Comment

Popular posts from this blog

The Thing With CUCM Device Packs

Image
To add a new phone on CUCM, whether it is a Cisco phone or one of the free softphones on the Internet, you go to Device –> phone. Sometimes the phone you want to add does not exist in the drop box, because the device model is new or the CUCM version is a bit old. What you can do here is to download a Device Pack of the new phone and install it. A Device Pack is a set of firmwares contained in a single file. Generally, it has the extension “sgn”. A Device Pack for phone X not only contains a load for it, but also loads for many other phone models. This is important to know because, once you install a Device Pack in CUCM, your existing phones by default will install the new version of their respective loads. I encountered a case where, after installing a Device Pack, some phones no longer worked. So I had to note down the “Active Load” and put it in the Device Defaults page. CUCM Device Pack download To download a Device Pack, you need to have a valid Cis...
Read more

En Bloc Dialing vs Digit-By-Digit Dialing

Image
Digit Signaling, aka Digit Addressing, is the method by which digits are sent from a dialing endpoint (e.g. phone) to a CUCM server, or by a voice gateway or trunk. There are three known digit signaling methods: En Bloc dialing SIP Dial Rules Digit-by-digit dialing 1. En Bloc digit dialing In the En Bloc digit signaling method, digits are sent as a whole block. Think of it like a brick that you send to UCM. This is the digit addressing method used on Type A Cisco phones, whether the endpoint signaling protocol is SIP or SCCP. En Bloc dialing is the default method used with the famous gateway protocols -MGCP, H323 and SIP- and also on H323 trunks and SIP trunks. Besides, the resulting pattern of a Translation Pattern operation is sent as En bloc to the call control system. 2. SIP Dial Rules It is important to know that all SIP phones support SIP dial rules, whether they are Type A or Type B. SIP dial rules are created on CUCM and downloaded by...
Read more

Call Forward And Call Hunt on CUCM

Image
Call forwarding is one of the features of the call coverage in Cisco CUCM. Call Hunting is when CUCM distributes a call on more than one Directory Number (DN), whether consecutively or simultaneously, depending on the algorithm. Hunt Pilot A Hunt Pilot is the entry point for the whole call hunting process. It is hit by a Call. The Hunt Pilot number is a dialable entity and has many similarities with Route Patterns : We can configure Route Filters with Hunt Pilots, Hunt Pilots can Provide Outside Dial Tone , We can set Hunt Pilots with the Urgent Priority flag, They can route or block calls, They can apply Calling and Called Party Transformations. Hunt Lists After hitting the Hunt Pilot, the call is presented by CUCM to the Hunt List. Each Hunt List contains one or more ordered Line Groups. A Hunt List can be pointed by one or more Hunt Pilots. Line Groups Each Line Group contains one or more member (we’ll refer to them as Hunt members, hunt parties or Line Group members). A Line Grou...
Read more