Cisco IOS 11 - IEEE 802.1x, port authentication, MS IAS

Port access authentication using the IEEE 802.1x protocol is the foundation of today's popular technologies called Network Access Control (NAC), Network Admission Control (NAC), or Network Access Protection (NAP), which control device/user access to the network. The advantage is that we control access at the edge, directly on the port (access switch) to which the user is connected. The principle is that the port on the switch is blocked (does not allow any communication) until the connected device successfully authenticates. This method also allows for the use of several other features, such as dynamic VLAN assignment or placing the port into a guest VLAN if authentication fails.

IEEE 802.1x Protocol

I will only briefly mention the 802.1x protocol itself. It is a standard for Port-based Network Access Control. It is based on the Extensible Authentication Protocol (EAP) RFC 3748. It is used on newer higher-class switches (most of today's Cisco switches) or for wireless networks (access points AP). In wired networks, it provides physical security at the link layer (Layer 2 of ISO/OSI).

If a port is in an unauthorized state, it does not accept any communication from the client (referred to as the supplicant) except for 802.1x traffic (more precisely, Extensible Authentication Protocol over LAN - EAPOL, CDP, Spanning Tree Protocol are allowed on the port). This is followed by the authentication phase, which the authenticator (usually a switch) passes to the authentication server (usually RADIUS). If authentication is successful, the port switches to an authorized state, where it functions normally. The client can log out, and the port will switch back to an unauthorized state. Every time the link state changes from down to up, the port starts in an unauthorized state.

Configuration in Cisco IOS

On Cisco switches, implementing this method is done in two steps. First, we use the authentication, authorization, and accounting (AAA) component, which provides the actual authentication (plus other functions) of the device/user. The second step involves configuring the 802.1x protocol (dot1x) for the switch and individual ports.

Using AAA, we choose the authentication method. The most common is using an external RADIUS server. The advantage is the separation of the authentication method from the switch.

At this point, I provide only the basic configuration, which is sufficient for port authentication. A number of other options and functions will be covered in the next article.

Setting up AAA via Radius

SWITCH(config)#aaa new-model                 // enables AAA access control model 
Setting up RADIUS server
SWITCH(config)#radius-server host 10.0.0.10  // server address or name 
SWITCH(config)#radius-server key 12345       // shared secret 
Setting up AAA method for 802.1x on the previously defined RADIUS
SWITCH(config)#aaa authentication dot1x default group radius

Setting up 802.1x

SWITCH(config)#dot1x system-auth-control     // enables 802.1x globally for the switch (but works only on configured ports)
SWITCH(config-if)#dot1x port-control auto    // enables 802.1x for the port where we want to use it
SWITCH#show dot1x all                        // displays info

Note: The default value for port-control is force-authorized, meaning the port is always authorized and 802.1x is not used.

Configuring MS IAS(RADIUS) server

If we decide to use a RADIUS (Remote Authentication Dial-in User Service) server, we have several solutions available. One option is to use Internet Authentication Service (IAS) from Microsoft, which is a component of Windows Server 2003. IAS offers services for authentication, authorization, accounting, and auditing.

For practical situations, it is recommended to install IAS on a domain controller, preferably also a Global Catalog. It is also recommended to have two IAS servers in case one fails. On the RADIUS server, we can configure which authentication database to use; in our case, LDAP is used to connect to Active Directory. The RADIUS protocol never sends the user password in plain text.

Step 1 - setting up IAS

• first, add the component to the system through Add or Remove Programs, it's found under Networking Services
• launch the management for IAS (MMC console) via Administrative Tools
• for IAS to access records in AD, we must register it in AD - right-click on the root item Internet Authentication Service (local) and select Register Server in Active Directory
• then start the service (Start Service on the root item)

Note: In the IAS server settings, we can set the ports on which it communicates. Standard UDP ports 1812 or 1645 are used for authentication and 1813 or 1646 for accounting.

Step 2 - creating a client

Here we define the device (client) that will be able to access the server. This is not directly the client, but the authenticator (for example, a switch) that will communicate with the RADIUS server.

• under the RADIUS Clients folder, we create a new client, which is the switch where we want to use 802.1x
• enter the IP address or name; in the Enterprise version, we can also specify a range using CIDR notation
• set Client-vendor to Cisco (otherwise, RADIUS Standard is usually used, but not for Cisco)
• enter the Shared secret, which is an alphanumeric string used to verify client access

Step 3 - creating a remote access policy

In the third step, we must create a Remote Access Policy, which, among other things, determines the authentication methods. There can be multiple policies, and based on the specified conditions (policy conditions), which can be very diverse, it is determined which one will be used.

• create a new policy (right-click on Remote Access Policies and New Remote Access Policy)
• choose custom policy and enter a name (here Cisco switches)
• as policy conditions (i.e., what the policy will apply to), we can select, for example, Client-Friendly-Name and value Cisco* and NAS-Port-Type and Ethernet

Note: Another possible condition is limiting user access. If we create a policy using the wizard, it offers us two options. Access control using settings for the user account in AD (User). Or individual control using groups (Group). The condition for a group is called Windows-Groups and we can set the value to, for example, "domain\Domain Computers;domain\Domain Users". With different settings, we can limit authentication, for example, using a computer account.

• in the next step, we set whether the policy grants or denies access. However, this setting is overwritten by the setting for the user account in AD on the Dial-in tab, Remote Access Permission item
• we skip the profile settings and finish the policy

With this, we have created a policy and set parameters according to which it will be selected for which requests it should be applied. Now we need to define the authentication parameters.

• double-click to open our policy and we get to the properties
• on the first page, we see the conditions according to which the policy is evaluated

• By clicking the Edit Profile button, we get to the details settings. We are mainly interested in the Authentication tab.

Note: There are many options for settings. On the Dial-in Constraints tab, we can set how long a user can be connected or at what time they can connect. On the Advanced tab, we can define a large number of attributes (including Vendor-Specific attributes) that will be returned to the querying device (switch). On the Encryption tab, we can define which encryption methods are accepted; it's good to set the strongest encryption here (if possible).

On the Authentication tab, we can choose one of many authentication methods according to the needs and support on clients. For our case, however, we won't set anything here and click on the EAP Methods button. Among the EAP methods, we can select PEAP or if we use smart cards and/or certificates, then Smart Card or other certificate. Further properties are then set for the selected EAP method using the Edit button.

Export and import of IAS settings

If we have two IAS servers that should have the same configuration (for backup purposes), we can use export and import of configuration. We use the command-line scripting utility netsh (Network Shell) for this.

For backing up the configuration, we can use the following command, which will save it to the file iasconfig.txt

netsh aaaa show config >iasconfig.txt 

For restoring the configuration, use the command

netsh exec iasconfig.txt

Windows XP client configuration

Windows XP, Windows Vista, and Windows 2000 SP4 include support for the IEEE 802.1x protocol. Enabling and configuration are done for individual network connections. Control Panel - Network Connections - right-click on the connection - Properties - Authentication tab. In Windows Vista, 802.1x support is not enabled by default, and to use it, you need to start the Wired AutoConfig service.

Note: I encountered a problem where the Authentication tab was missing. It was on a computer that also had a wireless network card and it was controlled by the manufacturer's driver. When I set the control using Windows, the Authentication tab appeared on all network cards (and everything worked).

The setup is simple and of course must correspond to what we set on the RADIUS server.

• the first item "Enable IEEE 802.1x authentication for this network" enables or disables the use of the 802.1x protocol
• under EAP type we select the authentication method (e.g., PEAP or Smart Card or other certificate)
• the Properties button takes us to the details settings of the given authentication method
• the checkbox "Authenticate as computer when computer information is available" allows us to specify whether the computer can attempt authentication when no user is logged in
• The last checkbox "Authenticate as guest when user or computer information is unavailable" allows the computer to attempt to log in using the Guest account when it cannot authenticate using the user or computer account

Note: The option to authenticate the computer allows us to perform authentication when network connection is available. This means earlier than the user will authenticate and earlier than group policies and login scripts start running