- Bronze, 100 points or more
I'm toying with the idea of implementing 802.1x on my network along with DHCP snooping and dynamic arp inspection. My reasoning is this: our primary Line of business application sends all of its traffic in clear text across a telnet session. Yes, this is completely ridiculous in this day and age, but that's how they do things. That being said, I want to make my network much more difficult to sniff, and Man-in-the-middle. We already implement port-security on access-ports, but I'd like to take it a step forward and implement 802.1x, dynamic VLAN assignment, etc, but I have a few questions I can't seem to find an answer to yet. I have gotten some basic 802.1x authentication to work with an XP work station, an Ip phone, and a workstation connection through an IP phone, this seems to be working as I expect.
Some background on the network:
* MPLS WAN.
* Switching platforms for access ports are 4506s (12.2(25)EWA1) or 3750s (12.2(44)SE2)
* PCs are majority Windows XP SP3.
* Using ACS 4.2 for Authentication
* Mitel (ick!) VoIP is in use on the network (phones are 802.1x aware)
* If I don't change the behavior of Windows XP SP3, it will use machine OR user authentication for 802.1x, how does this work with dynamic vlan assignment? If the machine boots up and authenticates via machine ID, gets assigned to VLAN X, and gets DHCP on VLAN X, what happens if a user that should be on VLAN Y signs into the machine? Does the machine reauthenticate and DHCP on the new VLAN? What determines how the XP machine authenticates?
* I seem to be having an issue with putting a PC into the guest-vlan or into the auth-fail VLAN. I have configured the interface as such:
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout reauth-period 480
dot1x fallback fallback1
dot1x guest-vlan 701
dot1x auth-fail vlan 701
dot1x auth-fail max-attempts 2
spanning-tree bpduguard enable
I can get a host (connected via the IP Phone) into VLAN 700 through dynamic VLAN assignment, but what's the threshold for the host to be put into the guest-vlan or auth-fail vlan (701 in this case). If I disable the 802.1x supplicant on my windows XP sp3 machine (Wired auto-config service), it will attempt to authenticate, time out, then try to get DHCP on VLAN 1 (default VLAN for the interface). The switchport stays in VLAN 1. If I re-enable the supplicant and disable the user/pc account in AD (ACS authenticates via AD), the PC says "Authentication Failed" and just sits there, the port is never transitioned into the auth-fail vlan. What am I missing?
* Is it a good/better idea to have all ports in the "Guest" vlan by default?
* Webauth. I can't find much out on Cisco's site about how to configure this or how it works. See the interface config above, along with the following:
ip device tracking
ip http server
ip admission name New1 proxy http
fallback profile fallback1
ip access-group 1 in
ip admission New1
access-list 1 permit any
If I understand this properly, the switch should present the PC with a login page to authenticate to gain access to the network. What does this line mean/how does it work?
ip access-group 1 in
If my machines rely on DHCP, can I still use webauth? They will likely not have an IP or have an automatically assigned IP if they are not authenticated properly.
With the above config, My unauthenticated PC does not get presented with a login page. What am I doing wrong??
* Are there any best practices I should be aware of when implementing 802.1x? Anything anyone would recommend to do or not to do?
Thanks in advance!