VLAN Assignment
The 802.1x protocol (in cooperation with Cisco switch) gives us the ability to dynamically assign ports to VLANs based on authentication data. So we don't have to configure the correct VLAN for each port (but still need to assign all ports to some VLAN and think it through well) and the user gets their VLAN at various locations and computers. However, this generally only works when we use user authentication and not computer authentication.
Configuration in Cisco IOS
If we have the 802.1x protocol correctly configured and want to add support for VLAN assignment from the RADIUS server, we use the following command. This ensures that RADIUS authorization will be used for network services (such as VLAN assignment).
SWITCH(config)#aaa authorization network default group radius
In case the RADIUS server doesn't send a VLAN (or 802.1x is turned off), the port will be assigned to its access VLAN (which is set on the port).
Note: If an incorrect (for example, non-existent) VLAN is sent, the switch will reject it.
If we need to troubleshoot or want to monitor how communication is taking place, we can use the debug command and log certain operations, for example:
SWITCH#debug dot1x events // logging dot1x events SWITCH#show logging // displaying the log
Note: Dot1x cannot be used on trunk ports and dynamic ports.
Configuration on MS IAS (RADIUS) server
Again, I assume that we already have user authentication configured. To send a VLAN, we only need to add three Vendor-specific attributes. We do this in our Remote Access Policy on the Advanced tab.
These are the following attributes:
- [64] Tunnel-Type = VLAN (type 13)
- [65] Tunnel-Medium-Type = 802 (type 6)
- [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
The above procedure ensures that all users/stations (to which this Remote Access Policy applies) will be assigned to the set VLAN. This isn't very dynamic, because in practice we want to assign different users to different VLANs. One possible solution is as follows.
First, we need to have groups created in Active Directory for each VLAN and appropriate users assigned to them. For example, when we have VLANs by department, a group for the department.
On the RADIUS server, we then need to create a Remote Access Policy for each VLAN. Most parameters will (probably) be the same. We need to modify the conditions according to which the policy is assigned to a request. There we set the condition to Windows-Groups and enter the group or groups from Active Directory for which one VLAN will be set. Then we set the VLAN number on the Advanced tab of the policy (as mentioned above).
Policies are tested in order from top (number 1) to bottom, and when a match occurs, the policy is used. So we can set several policies for different special groups and place a general policy at the end that sets the VLAN for everyone else.
Problem with not renewing address on the client
Sometimes it can happen that the client is assigned to the correct VLAN, but doesn't get an address from the DHCP server. This problem isn't only related to this chapter, it occurs more often with assignment to guest VLAN. It's caused by different timeouts. When a client starts connecting to the network, it sends a DHCP request and at the same time starts the authentication process. If authentication takes longer than the DHCP timeout expires, the client doesn't get the correct address. In the case of Windows XP SP1, the client should renegotiate the address after a short time.
If the client doesn't get an address, executing commands for obtaining an address usually helps. But this is probably only for testing, we should fine-tune production operation to work.
ipconfig /release ipconfig /renew
More detailed dot1x settings
Automatic re-authentication
By default, this function is turned off, but we can turn it on and then the switch performs a new client authentication after a certain time. There are many situations where this function is useful, for example, when the computer is first verified, so after the user logs in, re-authentication is performed. On the other hand, re-authentication is then performed all the time, which may not be good.
The standard time for re-authentication is 3600 s.
SWITCH(config-if)#dot1x timeout reauth-period 4000 // setting re-authentication time to 4000 s SWITCH(config-if)#dot1x reauthentication // turning on re-authentication on the port
We can also trigger re-authentication manually on the switch
SWITCH#dot1x re-authenticate interface gigabitethernet0/1
Reset dot1x port configuration
If we want to reset the dot1x settings of a port to default values, we can use the command:
SWITCH(config-if)#dot1x default
Note: This also turns off dot1x on the port, but doesn't delete the guest and restricted VLAN settings.
Host mode
A port where dot1x is turned on can work in one of two modes:
- Single host - only one client can be connected to the port.
- Multiple host - multiple clients can be connected to one port. In this case, authentication of the first client verifies the entire port and others can access.
The default mode is single host, if we want to set multiple
SWITCH(config-if)#dot1x host-mode multi-host
Various timeouts
If the switch can't authenticate the client (for example, a communication error, but also when the client enters the wrong password), it waits for the specified time (default 60 s) and then tries again. Often it's useful to shorten this time.
SWITCH(config-if)#dot1x timeout quiet-period 10
The switch sends a request for authentication data (EAP-request/identity frame) and then waits for a certain time (default 30 s) for a response, if it doesn't receive it, it sends the query frame again. In certain special cases, we can change this interval (Switch-to-Client Retransmission Time).
SWITCH(config-if)#dot1x timeout tx-period 15
Related to this is also the value (Switch-to-Client Frame-Retransmission Number) of how many times (default 2 times) the switch sends a query when no response is received.
SWITCH(config-if)#dot1x max-req 5
In case we use a Guest VLAN and DHCP in this network, it may happen that the authentication process and assignment to the Guest VLAN takes longer than the timeout for obtaining an address from DHCP expires, so in this case it's recommended to reconfigure the quiet-period and tx-period values. The exact value depends on the type of client, but for example:
SWITCH(config-if)#dot1x timeout quiet-period 3 SWITCH(config-if)#dot1x timeout tx-period 15
Accounting
The 802.1x protocol takes care of authentication (confirming that the user is who they claim to be) and authorization (controlling access to the resource; here it's for example assignment to a VLAN). We can supplement the functions with accounting (in other words, logging data), which keeps information about:
- user authentication
- logging out
- link-down
- re-authentication
Microsoft IAS automatically (if we enable it in the settings) stores information in the log during user authentication. For accounting, a different port is used (default 1646 or 1813) than for authentication and authorization (default 1645 or 1812). Information about accounting is sent to the RADIUS server using attribute and value pairs.
On the switch, we can use a different notation for defining RADIUS, where we specify ports for individual services (otherwise the defaults are used).
SWITCH(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 123456
To send accounting information about dot1x to RADIUS, we use:
SWITCH(config)#aaa accounting dot1x default start-stop group radius
Note: default is for the default list (and common situations), group radius means that information will be sent to all defined RADIUS servers.
We can use accounting for a number of data that we want to monitor and store, so here are a few examples from other areas.
Sending information about switch restart
SWITCH(config)#aaa accounting system default start-stop group radius
Sending information about user login to the switch (to exec mode)
SWITCH(config)#aaa accounting exec default start-stop group radius
Sending information about using level 15 commands
SWITCH(config)#aaa accounting commands 15 default start-stop group radius
Restricted VLAN
Often we may want a user/computer that fails authentication (for example, because they don't have an account with us) to still be allowed into some part of the network. By default, the port switches to an unauthorized state and blocks communication. A common example is when a visitor comes and needs to get on the internet. We have created a VLAN for guests and we want to automatically assign them to it. If their OS supports the 802.1x protocol, it will query for authentication after connecting (if they don't have automatic filling set up). And if we have configured a restricted VLAN, then when incorrect data is entered (client not verified), the port will switch to this VLAN.
SWITCH(config-if)#dot1x auth-fail vlan 40 // restricted VLAN is 40 SWITCH(config-if)#dot1x auth-fail max-attempts 1 // number of authentication attempts (1 to 3)
Note: For restricted VLAN, the port must be in single-host mode.
With restricted VLAN as well as guest VLAN we may encounter some problems. Often reducing timeouts helps, as mentioned above. There's also a problem with address assignment from DHCP, which is also described above.
Guest VLAN
A similar situation to restricted VLAN is guest VLAN. We use this for clients that don't support 802.1x (for example, to download a dot1x client). The client is assigned to the guest VLAN if it doesn't support the 802.1x protocol (doesn't send an EAPOL packet or doesn't respond to EAP-request).
SWITCH(config-if)#dot1x guest-vlan 20
In older versions of IOS up to version 12.2(25)SEE, a modified behavior of guest VLAN was used, which was similar to restricted VLAN in effect. First, it was necessary to switch the behavior for the entire switch.
SWITCH(config)#dot1x guest-vlan supplicant
And then the guest VLAN was normally configured for ports and applied to unverified clients.
SWITCH(config-if)#dot1x guest-vlan 5
Check and Debug
Information about 802.1x
SWITCH#show dot1x interface f0/1 // information about 802.1x configuration on the port SWITCH#show dot1x all // information about 802.1x from all ports where it's enabled SWITCH#show dot1x all details // complete information about all 802.1x ports SWITCH#show dot1x all statistics // statistics about 802.1x usage on the port SWITCH#show dot1x all summary // brief information about the status of dot1x ports
Debugging 802.1x
When deploying 802.1x, we might simply encounter various problems and need to see what's happening on the switch. Therefore, it's best to use debugging of the given information.
SWITCH#debug dot1x events // logging of dot1x events SWITCH#debug dot1x all // logging of everything related to dot1x SWITCH#show debugging // shows what debug is set to SWITCH#undebug dot1x all // cancels debug of everything related to 802.1x SWITCH#show logging // displays the log
Information about AAA and RADIUS
SWITCH# show radius statistics // statistics from RADIUS SWITCH# show aaa servers // statistics from AAA and connection to RADIUS SWITCH# show aaa method-lists all // list of methods and which ones are used SWITCH# debug radius accounting // logging of accounting information sent to radius
Interesting Links
- Configuring Switch-Based Authentication - description of AAA and RADIUS on Cisco C2960
- Configuring IEEE 802.1x Port-Based Authentication - description of 802.1x on Cisco C2970
- Catalyst 3750 Switch Cisco IOS Commands - description of 802.1x commands on Cisco C3750
tie porty su asi v jednom pripade zle ;)
Pro accounting se používá jiný port (standardně 1646 či 1813) než pro autentizaci a autorizaci (standardně 1646 či 1813)
respond to [1]bosomt: Díky :-) opraveno
Ahoj,
cisco v novych IOSech dost zmenilo CLI prikazy, takze mnoho tech prikazu uz nefunguje, nebo minimalne nejsou v kongtextovy napovede.
Pamatoval jsem si temer vsechno pomoci 'dot1x' prikazu a ted uz se dobry dve tretiny veci dela pomoci 'authentication' prikazu (bohuzel uz to na sebe 'deprecated" dot1x nepraskne, jak jsem byl zvyklej, a nez jsem nasel config guide pro aktualni IOS, tak to chvili dalo - buh vi proc neni nejnovejsi jako prvni, je tam nejkaka 12.1(xx), nejnovejsi je 12.2(53) - alespon pro 3560 :))
Tady je nejnovejsi 802.1x guide, kterej jsem na Cisco nasel:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html
Mam dotaz, mam nastaven radius(NAP na w2008) a c2960
interface FastEthernet0/13
description Access port VLAN100
switchport access vlan 100
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
Vsechno funguje, tak jak by melo, ale neprijde mi normalni, ze pokud se ten PC(wXP) vypne tak se ten C2960 snazi furt posilat pozadavky na identifikaci toho PC.A to zhruba kazdy tri minuty
3881: 010023: Jul 28 20:22:22.358: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A8F8030000000C0506F20E
3884: 010044: Jul 28 20:22:22.366: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A8F8030000000C0506F20E
Tech chyb pokud si zapnu debug na ciscu je vic.Ale prijde mi to, ze se proste stale snazi vsechny radius porty autorizovat.
Nevite nekdo jak tomu zabranit?Je to normalni chovani, nebo mam nekde neco spatne.
Jak rikam, vse bezi do doby nez se vypne PC, pak mi to zacne do syslogu generovat ty chyby.
Diky za jakoukoliv radu
respond to [4]Michal:
Ty hlášky "Authentication failed for client (Unknown MAC)" znám. Pokud jsou na portu s vypnutým PC, tak to PC má povolenou funkci vzbuzení přes LAN. Takže PC je vypnuté, ale síťová karta je ve stavu UP a čeká na paket, který by počítač nastartoval. Pro switch se port tváří jako up a posílá žádosti o věření, na ty nepřichází odpověď. Proto port shodí do guest VLANy, protože nemá jak port ověřit.
Řešením je u všech PC vypnout v BIOSu funkci wake up on LAN. Pak při vypnutí PC se vypne i síťová karta.
Stejný problém nastává u IP telefonů, pokud za IP telefonem není nic připoeného. Pro switch je port up a switch neví, že k telefonu není nic připojeného, na datové VLANě očekává odpovědi na ověření a port pak dá taky do guest VLANy, protože nic nepřichází.
Problém s neobnovením adresy na klientovi se da vyresit prikazem:
ip device tracking probe delay 5
Pak vse nabiha korektne.