Saturday, December 1, 2007

Configuring 802.1x authentication on Cisco's devices

This is a quite simple task. The main issue I've seen with this is that it mainly works with Windows. I use a mixed environment and all my deployments I make sure the solutions I deploy are supported no matter the platform or device.

Anyway, this is a requirement that you might find in financial institutions or environments where the need for authentication of the end devices is required.

I won't be covering how to setup the end device since is different for each platform. The only comments I can do related to this is that in Windows you must go to your interface setting and activate the 802.1x authentication. Then you have to figure out if you want a device authentication, user authentication or user+device authentication. But again, I'm not covering that here.

For the Mac 10.x check this link.

I'm not aware of any stable way to configure 802.1x on Ethernet ports in Linux. Now, the wireless 802.1x authentication works fine as soon as you don't integrate it with one of the Microsoft proprietary requirements.

So lets start. The first requirement is the device that will handle the actual athentication. In this case lets assume a simple RADIUS server.

This example will be using a Cisco Catalyst switch but it is the same for the others.

The first thing you will need is to enable the new AAA model.

aaa new-model

Now, since you probably are using another mechanism for authentication and authorization of local management users you have to be aware of the impact. If that is the case you will need to create specific statements for this. So lets take this into consideration.

aaa authentication dot1x default group radius
aaa authentication login default group local

With those entries we are making sure that for the login to the device the switch is going to use the local "username" entry, while it is going to use "radius" for the dot1x authentication.

Now lets activate dot1x. This is done globaly for the device and then configure the ports we want to authenticate:

dot1x system-auth-control
interface range fa0/1 - 24
dot1x port-control auto

We are almos done. What are we missing? Well, we have to define the RADIUS server:

radius-server host auth-port 1812 key mykey

Thats it. Now we have dot1x authentication enable on all ports.

I should mention that in Cisco, evertime you define a "key" or "password" or "secret" make sure you don't left additional blank spaces at the end of the string. Otherwise these spaces will be consider to be part of the key string.

So, we have dot1x authentication. But what about machines that does not support it? or what about with the servers?

Assuming you don't want to configure Certificate based authentication on the server or that they don't support it. Well, if you trust those machines or servers you can force the ports to be authenticated no matter what.

Again, here is the super command:

interface fa 0/23
description Server1
dot1x port-control foce-authenticated

That will do exactly what it says. It force the port into authenticated mode.

There are many other parameters that can be configured and tuned for dot1x. If you are planning on doing an actual deployment take a look to the Cisco configuration guide.

Hope you like this. If you know about a stable Linux 802.1x ethernet authentication, please, let me know.

No comments:

Post a Comment