Dot-1x and vlan dynamic assignment example.

Objetivo: Desarrollar un ejemplo de configuración para la asignación de las vlans de forma dinámica.

Enable 802.1x authentication with vlan assignment.

_

Configuring 802.1x Authentication

_

To configure 802.1x port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.

To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

This is the 802.1x AAA process:

_

Step 1 A user connects to a port on the switch.

Step 2 Authentication is performed.

Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.

Step 4 The switch sends a start message to an accounting server.

Step 5 Reauthentication is performed, as necessary.

Step 6 The switch sends an interim accounting update to the accounting server, that is based on the result of reauthentication.

Step 7 The user disconnects from the port.

Step 8 The switch sends a stop message to the accounting server.

Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication:

_

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

aaa new-model

Enable AAA.

Step 3

aaa authentication dot1x { default } method1

Create an 802.1x authentication method list.

To create a default list to use when a named list is not specified in the authentication command, use the default keyword followed by the method to use in default situations. The default method list is automatically applied to all ports.

For method1, enter the group radius keywords to use the list of all RADIUS servers for authentication.

Note Though other keywords are visible in the command-line help string, only the group radius keywords are supported.

Step 4

dot1x system-auth-control

Enable 802.1x authentication globally on the switch.

Step 5

aaa authorization network { default } group radius

(Optional) Configure the switch to use user-RADIUS authorization for all network-related service requests, such as VLAN assignment.

Step 6

radius-server host ip-address

(Optional) Specify the IP address of the RADIUS server.

Step 7

radius-server key string

(Optional) S pecify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server.

Step 8

interface interface-id

Specify the port connected to the client to enable for 802.1x authentication, and enter interface configuration mode.

Step 9

switchport mode access

(Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7.

Step 10

authentication port-control auto

Enable 802.1x authentication on the port.

For feature interaction information, see the “802.1x Authentication Configuration Guidelines” section.

Step 11

dot1x pae authenticator

Set the interface Port Access Entity to act only as an authenticator and ignore messages meant for a supplicant.

Step 12

end

Return to privileged EXEC mode.

Step 13

show authentication

Verify your entries.

Step 14

copy running-config startup-config

(Optional) Save your entries in the configuration file.

_

Configuring the Switch-to-RADIUS-Server Communication

_

RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order in which they were configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.

_

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

radius-server host { hostname | ip-address } auth-port port-number key string

Configure the RADIUS server parameters.

For hostname | ip-address, s pecify the hostname or IP address of the remote RADIUS server.

For auth-port port-number , specify the UDP destination port for authentication requests. The default is 1812. The range is 0 to 65536.

For key string , specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

_

To clear the specified RADIUS server, use the no radius-server host { hostname | ip-address } global configuration command.

This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server:

Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123

_

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit and the radius-server key global configuration commands. For more information, see the “Configuring Settings for All RADIUS Servers” section.

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

_

Cisco Secure Config:

_

– Declaración del cliente AAA.

_

– Parámetros para la asignación dinámica de vlans:

_

Habilitar a nivel de usuarios los siguientes parámetros:

– [64] Tunnel-Type = VLAN

– [65] Tunnel-Medium-Type = 802

– [81] Tunnel-Private-Group-ID = VLAN name, VLAN ID, or VLAN-Group

– [83] Tunnel-Preference

_

_

Configurar los parámetros en el perfil de usuario:

_

_

Tunnel type – Vlan

Tunnel medium type – 802

Tunnel private group id – 52 (vlan asignada dinámicamente, independientemente de la vlan de acceso configurada en el puerto del switch)

Tunnel preference – 1 (le puse 1 aunque no se muy bien para que se utiliza este parámetro.)

_

Sw configuration:

_

!
version 15.0
!
hostname X
!
aaa new-model
!
aaa group server radius DOT1x
server name RADIUS1
!
aaa authentication dot1x default group DOT1x
aaa authorization network default group DOT1x
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
dot1x test timeout 120
!
interface FastEthernet0/17
description Manuel’s Laptop2
switchport access vlan X
switchport mode access
authentication port-control auto
authentication periodic
authentication timer reauthenticate 4000
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
!
radius server RADIUS1
address ipv4 10.10.10.10 auth-port 1645 acct-port 1646
key 7 011709100A1316XXXXXXXXXX
!
end

_

PC config:
– Habilitar el servicio WiredAuto en la PC.
– Configurar la tarjeta de red para que trabaje con dot1x.

_

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s