Cisco Catalyst Switches - dot1x - Authentication - Part 5

Is where you configure:

  • The guest VLAN (automaticly if the client cannot authenticate, so this is secure, but tricky)
  • The VLAN Subnet, the DHCP Server is listening to.
  • The Radius config settings
  • VTP
    • Where the ‘Core Switch’ is sending it’s VLAN Configuration to client VTP configured switches for unity and correctly configured settings on one place to rule them all.

 

So, here we are about to configure:

  • Configure AAA NPS
  • Set Trunk Ports
  • Set Interface Ports
  • VTP Domain
  • DHCP IP Helpers for the right Assignment to the DHCP Pool
  • Set Guest VLAN (at the end of the blog, because much depends on the successfull deployment, before your start stricting down).

 

# Switch Config for NPS Authentication

# Rather Remove 'mab' from the interface and make sure everyone can connect via certificates!

# Configured ip address of the VLAN should alway's be excluded from the DHCP Scope.

begin config

 

aaa new-model

!

!

aaa group server radius NPSRadius

 server name NPSRadiusSrv1

!

aaa authentication login default local

aaa authentication enable default enable

aaa authentication dot1x default group NPSRadius

aaa authorization console

aaa authorization exec default local if-authenticated

aaa authorization network default group NPSRadius

aaa accounting network default start-stop group NPSRadius

!

aaa session-id common

dot1x system-auth-control

authentication mac-move permit

!

vlan internal allocation policy ascending

!

 

The Configuration of a fast ehternet port allway’s goes without an IP Address.

interface FastEthernet0

 description Trunk port without an client (IP) but for UPLINK

 no ip address

 shutdown

!

 

The interface for a hard-coded VLAN, can also be a Designated office respectively a Office Department.

# Example Fixed VLAN

interface GigabitEthernet0/1

 description Hard Coded Guest VLAN

 switchport access vlan 500

 switchport mode access

 spanning-tree portfast

!

 

# It does MAB authentication, but you shouldn’t be using it. It’s authentication by MAC-ADDRESS but it’s insecure, as MAC addresses can be cloned, so you have no way of its integrity.

# You should not want to use this!

# Initial Setup for dot1x configuration (rolling out)

interface GigabitEthernet0/15

description Configure port for NPS Authorization

switchport mode access

authentication event server alive action reinitialize

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

spanning-tree bpduguard enable

!

 

# Final step!!! After everything is working OK, you install the GUEST VLAN As Default when a client cannot authenticate. This is the very last step to secure your environment.

# A Trunk port configuration. You configure this on your SFP Fibre connection aka Uplinks from Switch 2 Switch.

interface TenGigabitEthernet1/2

 description TenGigaBitEthernet Uplink 2 Main Switch

 switchport trunk encapsulation dot1q

 switchport mode trunk

!

 

# Radius Server config for Retry and Alive polling.

radius-server retry method reorder

radius-server transaction max-tries 10

radius-server timeout 4

radius-server deadtime 2

!

# You might wanna pay attention to your key 0 for your Radius / NPS Server.

# Some firmware versions and authentication towards your NPS Server are having trouble with a password with more then 8 Characters. Also Special characters can cause an issue!

conf t

radius server NPSRadiusSrv1

 address ipv4 172.16.0.3 auth-port 1812 acct-port 1813

 timeout 10

 key 0 8Digits!

end

 

# End config

# Next is, configuring a Cisco Domain which advertises all VLANS to other switches.

# You need to configure a Core switch with VTP, and after that configure the slaves for getting the configuration of the Core Switch.

# VLAN Documentation

# https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/vlanconf.html

 

VTP Setup

 

CORE SWITCH

 

Router# configure terminal

Router(config)# vtp mode server

Router(config)# vtp domain VTPDomain

Router(config)# vtp password Deploymyconfig

Router(config)# exit

 

CLIENT SWITCH

The following example shows how to configure the switch as a VTP client:

Router# configure terminal

Router(config)# vtp mode client

Router(config)# exit

 

 

The following example shows how to configure the switch as VTP transparent.

I see no particular reason you should use it for this case.

Reference: http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol/223-vtp-introduction.html

Router# configure terminal

Router(config)# vtp mode transparent

Router# exit

 

VLAN Configuration and pushing it to Client Switches after the client switch is configured to receive VTP configs.

 

# Below config is executed on the CORE SWITCH. The VTP Domain Master.

 VLAN Configuration

# DHCP Helper IP Addresses are configured in the VLAN Subnet

# DHCP Helper IP Addresses are for example:

# 172.16.0.1

# 172.16.0.2

conf t

vlan 100

exit

interface Vlan100

 description Server vlan

 ip address 172.16.0.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 200

exit

interface Vlan200

 description Client vlan

 ip address 172.24.0.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 201

exit

interface Vlan201

 description Client vlan

 ip address 172.24.1.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 202

exit

interface Vlan202

 description Client vlan

 ip address 172.24.2.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 203

exit

interface Vlan203

 description Client vlan

 ip address 172.24.3.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 204

exit

interface Vlan204

 description Client vlan

 ip address 172.24.4.254 255.255.255.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

!

conf t

vlan 500

exit

interface Vlan500

 description Guest vlan

 ip address 172.32.0.254 255.255.252.0

 ip helper-address 172.16.0.1

 ip helper-address 172.16.0.2

 

Check your clients switches, if they have received the configuration.