I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.
So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.
What needs to be done:
Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.
1.We will configure the switch for dot1x but with much more options now.
2.We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
3.We will setup a new GPO object that will automatically setup all PC’s for dot1x.
What will we get using dot1x:
It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉
Basic
Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.
Give Internet only to unauthenticated users
Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.
“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”
If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.
VLAN auto-configuration
It’s also nice to get the user’s port auto-enrolled to specific user VLAN what they authenticate. VLAN auto-configuration enables us to give to specific user their own VLAN configuration no matter where they are connected. Remember, today, most users have notebooks not desktop PCs and in the office environment they are probably separated in different VLANs for different departments. You do not want that users going from one office to another colleagues office to connect to the wall and get into different VLANs all the time.
With VLAN auto-configuration wherever the users connects inside the building it will be connected to his own VLAN based on his Active Directory group membership. This is really cool.
It is also pretty simple to explain how it works. You create different NPS Network access policy for every VLAN and then add Windows Group condition for different policy. On every policy you specify VLAN ID for that group/department and configure the switch like below. Every matched policy on our Radius server will then send VLAN ID as an attribute to the switch and the switch will configure the port accordingly. Of course you need to have that VLAN created on that switch, don’t be silly.
In our example below, unauthenticated users will be configured inside VLAN 99 which is our imaginary Internet only VLAn with no access to internal network environment.
Configuration explanation line by line
I’ll give you line by line explanation of those commands entered just in case.
First bullet is for “dot1x system-auth-control” and so on:
◾Enables dot1x globally. Without this nothing dot1x will work no matter how hard you configure it :)
◾Enables AAA network security services. You know, authentication, authorisation, accounting, those things
◾Authentication for logging to this device will use locally configured users
◾Authentication for dot1x will use Radius server
◾Authorisation for network will also use Radius server
◾mac-move is permitted so that users notebook disconnected from one port where he was authenticated can be connected to some other switch port and be authenticated automatically.
◾I configure Radius server name
◾Radius server IP address and UDP ports. You can skip ports, those are default ports. Use it only if you would like to use non standard ports. You don’t want to do that really.
◾Radius server pre-shared key
◾You set radius server source address to be Loopback 1 or any other interface with IP address that you have. This is the IP that needs to be configured on Radius side as Radius client IP address. Read here on how to do that: here
◾You enter to Gigabit Ethernet 1/0/1 interface. Or ay other you want to configure with dot1x (or range of Interaces)
◾Give description
◾Configure as access port
◾If authentication fails configure this port to VLAN 99 (That is the Guest/Isonated/Internet only port mentioned above somewhere)
◾If authentications does not happen or breaks somehow, like when client is not dot1x capable, put that device to VLAN 99 too.
◾Enables dot1x on that port (could be the first command, true!)
◾This is mostly default by enter it to be sure, it allows EAPOL traffic to pass through the port even if the port is in unauthenticated state. Basically allowing future possible authentication request to be received from clients. If disabled “no dot1x pae authenticator” port will be dot1x enabled but it will block authentication requests so it will not really work.
◾Timeout tx-period for dot1x speeds up Guests entering VLAN 99. Cisco Catalyst switches by default have values of tx-period set to 30 seconds and max-reauth-req set to 2 times. With this default settings your Guests in meeting room when connected to wall ethernet jack will need to wait for 90 seconds to get Internet access. In our config it will take about 10 to 15 seconds.
◾You know what is spanning-tree portfast
3. GPO – Group Policy Object configuration
Group policy will auto-configure all Windows machines members of our domain and users will not even know that something happened.
◾We will change the default Wired AutoConfig service setting and make that service start at startup every time.
◾We will configure dot1x on client machines to use user or computer certificates to authenticate.
So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.
What needs to be done:
Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.
1.We will configure the switch for dot1x but with much more options now.
2.We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
3.We will setup a new GPO object that will automatically setup all PC’s for dot1x.
What will we get using dot1x:
It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉
Basic
Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.
Give Internet only to unauthenticated users
Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.
“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”
If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.
VLAN auto-configuration
It’s also nice to get the user’s port auto-enrolled to specific user VLAN what they authenticate. VLAN auto-configuration enables us to give to specific user their own VLAN configuration no matter where they are connected. Remember, today, most users have notebooks not desktop PCs and in the office environment they are probably separated in different VLANs for different departments. You do not want that users going from one office to another colleagues office to connect to the wall and get into different VLANs all the time.
With VLAN auto-configuration wherever the users connects inside the building it will be connected to his own VLAN based on his Active Directory group membership. This is really cool.
It is also pretty simple to explain how it works. You create different NPS Network access policy for every VLAN and then add Windows Group condition for different policy. On every policy you specify VLAN ID for that group/department and configure the switch like below. Every matched policy on our Radius server will then send VLAN ID as an attribute to the switch and the switch will configure the port accordingly. Of course you need to have that VLAN created on that switch, don’t be silly.
In our example below, unauthenticated users will be configured inside VLAN 99 which is our imaginary Internet only VLAn with no access to internal network environment.
Configuration explanation line by line
I’ll give you line by line explanation of those commands entered just in case.
First bullet is for “dot1x system-auth-control” and so on:
◾Enables dot1x globally. Without this nothing dot1x will work no matter how hard you configure it :)
◾Enables AAA network security services. You know, authentication, authorisation, accounting, those things
◾Authentication for logging to this device will use locally configured users
◾Authentication for dot1x will use Radius server
◾Authorisation for network will also use Radius server
◾mac-move is permitted so that users notebook disconnected from one port where he was authenticated can be connected to some other switch port and be authenticated automatically.
◾I configure Radius server name
◾Radius server IP address and UDP ports. You can skip ports, those are default ports. Use it only if you would like to use non standard ports. You don’t want to do that really.
◾Radius server pre-shared key
◾You set radius server source address to be Loopback 1 or any other interface with IP address that you have. This is the IP that needs to be configured on Radius side as Radius client IP address. Read here on how to do that: here
◾You enter to Gigabit Ethernet 1/0/1 interface. Or ay other you want to configure with dot1x (or range of Interaces)
◾Give description
◾Configure as access port
◾If authentication fails configure this port to VLAN 99 (That is the Guest/Isonated/Internet only port mentioned above somewhere)
◾If authentications does not happen or breaks somehow, like when client is not dot1x capable, put that device to VLAN 99 too.
◾Enables dot1x on that port (could be the first command, true!)
◾This is mostly default by enter it to be sure, it allows EAPOL traffic to pass through the port even if the port is in unauthenticated state. Basically allowing future possible authentication request to be received from clients. If disabled “no dot1x pae authenticator” port will be dot1x enabled but it will block authentication requests so it will not really work.
◾Timeout tx-period for dot1x speeds up Guests entering VLAN 99. Cisco Catalyst switches by default have values of tx-period set to 30 seconds and max-reauth-req set to 2 times. With this default settings your Guests in meeting room when connected to wall ethernet jack will need to wait for 90 seconds to get Internet access. In our config it will take about 10 to 15 seconds.
◾You know what is spanning-tree portfast
3. GPO – Group Policy Object configuration
Group policy will auto-configure all Windows machines members of our domain and users will not even know that something happened.
◾We will change the default Wired AutoConfig service setting and make that service start at startup every time.
◾We will configure dot1x on client machines to use user or computer certificates to authenticate.
Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.
0 comments:
Post a Comment