10-12-2007 08:22 AM - edited 03-10-2019 03:26 PM
Hi,
I have a project in hand to implement 802.1x for wired networks. Whenever a PC gets connected to the LAN switch, it
should get authenticated at Layer 2 and then it should be authorised to access LAN. The components involved in this
project will be access layer switches( 4500,2950,3560), the client workstations running Windows XP and Cisco ACS
server for authentication.
I have the following doubts on this setup,
1) In 802.1x how the authentication takes place ...( mac,password, certificates...?)
2) What are the various protocols involved in this?
3) How reliable is this when we implement this on 3000 nodes network.?
4) If the ACS server goes down, how the network will react - will any machine be able to connect or not?
5) What are the different methods other than 802.1x, which can serve the requirement.
Also it would be great if anyone can give any documents/useful links for the configuration of the switch/ACS, or
some general document which throws some light on the technologies involved in this
Thanks,
Shobith.K
10-13-2007 09:59 AM
It seems like you are new to dot1x.
Suggestion:
- Search "IBNS" on cisco.com
- Go through 8021.x rfc (overview)
Regards,
Prem
10-13-2007 10:09 AM
One more suggestion, search on NetPro forum. You'll get lots of example on configuring 802.1x wired or wireless all over it.
Regards,
Prem
10-13-2007 11:06 PM
thanks prem,
let me go through some of those docs and get back.
regards,
Shobith
10-14-2007 02:39 AM
Hello Shobith,
802.1x the authentication takes place via a layer 2 protocol using EAP over LAN (EapOL). The switchport will send authentication request to the connected host, the host must be running a software called a 'supplicant' which is capable of responding to such requests. You can use certificates to authenticate the machines and also have the option to authenticate the users with their login and password. Deploying dot1.x on a large scale is not currently recommended by Cisco due to various complicated issues, we currently recommend CCA or Cisco Clean Access with will provide added functionality of Posture assesment and remediation.
Thanks,
Raj
10-14-2007 03:51 AM
Hi,
Thanks for the reply. Current requirement was to make most use of the Cisco ACS server deployed in the system. Can we have any other option other than 802.1x/CCA.
Can we implement port based authentication , ie authenticating the PC connected, based on a list of mac addresses. Also can this functionality be integrated with Cisco ACS, coz the network has more than 3000 nodes ( 3000 mac addresses.)
It would be great if i can have more inputs on the same.
Thanks,
Shobith.K
10-14-2007 10:35 AM
Hi Shobithk,
First of all let me clarify what I said earlier, when I said cisco doesn't recommend dot1x in a large complex enviornment, that is more related to a framework deplyoment and that's why I made the suggestion of CCA. Dot1x is deployable, and in your particular case, it may be a viable option provided you have done ample planning and looked at all the variables. I would highly recommend you to work with your Cisco account team to craft a good solution.
Best regards,
Raj
10-14-2007 10:42 AM
I have done this earlier, do not know if its feasible for you or not. You'll find it no where which will say like, mac authentication using Cisco switches. But if your switches support MAC auth bypass. Then you can do this (I have done this twice and it works, but test first),
You can go through MAC Auth bypass feature from following link:
12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1205506
Configuring MAC Auth bypass on 12.2(37)SE:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1196845
----------Commands Required on Switch--------------
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host
radius-server key
config t
interface
switchport access vlan
dot1x port-control auto
dot1x mac-auth-bypass
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication
-----------------------------------------------------------------
If we have an Windows XP Client, and as we want MAC authentication to work, then we can disable client to sent EAP request, so that Switch can consider it as Agentless host, and initiates the MAC auth bypass process.
Registry fix on Win XP test machine,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"SupplicantMode"=dword:00000000
Please create a AAA Client entry for the switch in ACS from Network configuration section.
And use the Authentication Protocol as RADIUS (Cisco IOS....)
And on ACS create an account for the client as,
Username : 0015c53ae40d
Password : 0015c53ae40d
If the MAC address of the client is 00-15-C5-3A-E4-0D
Also, please ensure that we running ACS version that is not hitting bug,
CSCsh62641 - MAC authentication causes internal errors
Regards,
Prem
10-15-2007 02:01 PM
dot1x mac-auth-bypass not supported for 2950 switches.
10-17-2007 05:26 AM
Hi Prem,
Thanks for the assistance provided. I have tested the configuration provided by you, in the lab. It works :)
Now moving on to integrate with our existing LAN, I have to test the following,
1) A PC and an IP Phone connecting to the same port to be authenticated based on MAC address.
I went through the 802.1x configuration guide and I came across MULTI DOMAIN AUTHENTICATION which lets me authenticate both PC and IP Phone. Now I have a doubt here. Will this work with MAC-AUTH-BYPASS. Hope to hear from you soon regarding this.
Thanks and Regards,
Shobith
10-17-2007 07:33 AM
Yes, this is exactly what you need.
Multi-Domain-Auth is effectively a new host mode. Typically, port-based access-control techniques only take a single-port into account. For AAA, and port-enforcement to insure the validity of the authorized session, MDA extends this to a single-port, single-VLAN construct to maximize retention of security.
So in the end, MDA just allows the new mode on the port. Then, MAB can be used as the actual auth method, and/or 1X can be used as the actual auth method; for both a Data-VLAN, and/or Voice-VLAN.
Hope this helps,
10-14-2007 10:54 AM
And Apart from the suggestion that i just provided. I strongly back Raj, that plan a Good solution and then go for implementation only. which is very important!
Regards,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: