Again a multipart series. This time around it is about 802.1x wired authentication (switch port) with Windows NPS as Radius server and Cisco IOS Switch. In part I, we will look at client/supplicant (Windows 10) and server/Radius (Windows NPS) configuration. And in part II, we will look at Cisco switch/authenticator configuration.
Let's begin with our topology.
|
Topology for 802.1x wired |
In our topology we have 4 vlans which are server (id 245 - 172.16.245.0/24), client (id 246 - 172.16.246.0/24), guest (vlan id 247 - 172.16.247.0/24) and mgmt (vlan id 250 - 172.16.250.0/24). The NPS server has an IP adress of - 172.16.245.11/24. The router is the gateway to all of the vlans. The client will get an IP adress from vlan 246 or 247 depending on 802.1x authentication status. The NPS-Server also acting as a DHCP server for different networks.
We are testing only dot1x authentication. There is no traffic filtering applied between client and guest vlan. When a client is placed into vlan 246 (client) or guest (246) by dot1x, it has the same level of network access. Here we are testing authentication of a wired clients using 802.1x, not access to the network using firewall rules.
Before driving into the configuration part, let's introduce us to three (3) terminology -
- Supplicant/Client - In dot1x supplicant always means client, for example - end users computers. They will run 802.1x client software and by using that client software they will request network access. We are using Windows 10, as supplicant. Windows has a built-in dot1x client which is enabled by running the service named "Wired AutoConfig".
- Authenticator/Switch - In wired 802.1x terminology an authenticator is always the switch. The switch acts as a proxy between supplicant/client and authentication server. It gathers authentication information from the client and send it to the authentication server. Upon successful/unsuccessful authentication from the server (NPS/Radius), the switch gives access to the client by opening switch port in different access vlans or deny access by disabling port.
- Authentication Server - The server is responsible for processing client requests for authentication and inform the authenticator/switch whether it was successful or not. In turn, switch opens or closes it's port accordingly where the client is connected. In wired 802.1x, Authentication server runs radius protocol. We will configure Windows NPS server which is Microsoft's implementation of radius protocol.
Let's start the configuration.
Supplicant/Client configuration
Our client will be a Windows 10 computer. We will start windows service named "Wired AutoConfig". We will do only username/password authentication. Certificate based authentication is beyond the scope of this article. How we have configured the client is given below in a series of screenshots -
|
01-Enable Wired AutoConfig Service |
|
02-Configuring dot1x Client |
|
03-Configuring dot1x Client (disable certificate validation) |
|
04-Configuring dot1x Client (enable user authentication) |
If we have done the above steps, then we are done with client configuration.
Authentication Server configuration
We are using Windows NPS as our radius server. I am not covering how to install NPS in windows. I will just show how to configure the various settings in NPS which is again a series of screenshots.
First we will generate a self-signed certificate in our windows NPS server using the below powershell command, the certificate is needed for PEAP authentication -
New-SelfSignedCertificate –DnsName server01.family.local -CertStoreLocation “cert:\LocalMachine\My”
Then we will create two users named user01 and user02, then assigned them to a group named group-dot1x. This group is used in our radius policy for authentication.
|
01-add-radius-group-user |
|
02-add-radius-client |
Then we will create a connection request policy in NPS.
|
03-connection-request-policy01 |
|
03-connection-request-policy02 |
|
03-connection-request-policy03 |
|
03-connection-request-policy04 |
|
03-connection-request-policy05 |
Now we will create a network policy in NPS. The policy checks the conditions for successful authentication which are users must belong to the group named "group-dot1x" and the request for authentication comes from the switch (172.16.250.2). Upon successful authentication, the port will granted access to the network using VLAN 246 - client vlan (VLAN is radius/nps assigned).
|
04-network-policy01 |
|
04-network-policy02 |
|
04-network-policy03 |
|
04-network-policy04 |
|
04-network-policy05 |
Now we are done with the configuration of 2 terminology in wired 802.1X - supplicant/client and authentication server/radius. In part II, we will configure the last bit of the puzzle which is authenticator/switch and verify wired 802.1x operation.
References
Comments
Post a Comment