Lab: wired 802.1x port-authentication using Freeradius

While reviewing some switching, I passed through few pages regarding 802.1x port authentication.

What is 802.1X?

IEEE 802.1x is a standard that allows to bring security on wired and wireless networks. Before a switch will allow a port to forward traffic, the user connected at that port will need to authenticate with a radius server (authentication server). Until the user pass the authentication, the only traffic allowed trough the port is the layer 2 EAP over Lan (EAPoL). The client itself is not able to contact directly the authentication server, for this reason the switch itself will act as authenticator. Based on particular needs, a guest and a restricted VLANs can be configured. The guest VLAN will be used if the client doesn’t support 802.1x, instead the restricted VLAN if the client fails to authenticate.

Communication between client and authenticator is handled by EAPoL, instead, between authenticator and authentication server is handled via Radius. This is how a successful authentication flow appears:

dot1x-arr

For more details I highly recommend to review the resources available on cisco website.

Radius server configuration

My “all in one” server is an amazing Raspberry Pi model B. A lovable piece of technology running Debian Linux.

For my setup I’m using FreeRadius, but any RADIUS server will do the job. This set up is very simple, it uses all default settings and doesn’t pay particular attention to security on the server itself. Username and password are stored as cleared text, obviously, real world installations require a much more secure configuration.

The first part of the configuration needs to be added at the bottom on the file /etc/freeradius/clients.conf. In this file, we will need to add either the specific ip address of the switch or in case of bigger deployments, we can put the entire management subnet. In any case, to be sure that your devices reach the RADIUS server with the proper IP, we can use “ip radius source-interface interface_name” command on our gears. Only one of the two ways is actually needed, but I want to show you both for completeness. In this example the password that the switch will use is MySecretPassw0rd.

client 192.168.0.254 {
        secret = MySecretPassw0rd
        shortname = C3550
        nastype = cisco
}

client 192.168.0.0/24 {
        secret = MySecretPassw0rd
        shortname = MGNMT
        nastype = cisco
}

Again, this configuration allows the switch to authenticate with the RADIUS server and is NOT related to the users authentication.
For users to authenticate, we need to modify /etc/freeradius/users and add an entry for each user.
For my lab, I have created the user Andrea.Florio with password MyPassword.

Andrea.Florio  Cleartext-Password := "MyPassword"

Now our configuration is over and we only need to restart the RADIUS service.

Switch configuration

As a first thing we will create our four VLANs: Management, Guest, Corporate and Restricted; also we will configure an IP address on our SVI belonging to the Management VLAN.

Switch(config)#vlan 10
Switch(config-vlan)#name GUEST
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name RESTRICTED
Switch(config-vlan)#vlan 30
Switch(config-vlan)#name CORPORATE
Switch(config-vlan)#vlan 99
Switch(config-vlan)#name MNGMT
Switch(config-vlan)#exit
Switch(config)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------

--- OMITTED ----

10   GUEST                            active
20   RESTRICTED                       active
30   CORPORATE                        active
99   MNGMT                            active

--- OMITTED ----

Switch(config)#int vlan 99
Switch(config-if)#ip add 192.168.0.254 255.255.255.0

Our next step will be to enable AAA on the switch and add the details of our RADIUS server

Switch(config)#aaa new-model
Switch(config)#radius-server host 192.168.0.18 auth-port 1812 acct-port 1813 key MySecretPassw0rd
Switch(config)#ip radius source-interface vlan 99
Switch(config)#aaa authentication dot1x default group radius
Switch(config)#username andrea password cisco

Note that the password we are using is the same we configured on the file clients.conf. We need to pay attention after we configure AAA as this will change also the settings on our VTYs, so it is a good idea to configure a local user to access our switch remotely. Please note, this user is not related with 802.1x authentication, is only needed to login into the switch when we access the CLI.

Now, it is time to enable and configure 802.1x. Remember that the switch port must be statically defined as access port or it will be impossible to configure 802.1x on it. In the configuration below, we will configure this port to behave as follows:

  • If the client doesn’t support 802.1x, put the client in the GUEST VLAN 10
  • If the client fails to authenticate, put the client in the RESTRICTED VLAN 20
  • The maximum number of authentication attempts will be 1
  • If the client succeed to authenticate, allow the client to access the CORPORATE VLAN 30
Switch(config)#dot1x system-auth-control
Switch(config)#int fa0/10
Switch(config-if)#do?
down-when-looped

!!!! PORT MUST BE ACCESS !!!!

Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 30
Switch(config-if)#do?
dot1x    down-when-looped

Switch(config-if)#dot1x guest-vlan 10
Switch(config-if)#dot1x auth-fail vlan 20
Switch(config-if)#dot1x auth-fail max-attempts 1
Switch(config-if)#dot1x port-control auto

The only thing that needs to be explained is the “dot1x port-control” command, you might have probably noted that auto is only one of the three available options:

  • auto – Normal 802.1x authentication
  • force-authorized – Do not use 802.1x, port is always authorized
  • force-unauthorized – Do not use 802.1x, port is always unauthorized

Client configuration

The last thing we need to configure is our PC. On windows we will need to go in the control panel to enable the service Wired AutoConfig. Once this is done, we need to go to Network and Sharing Center –> change adapter settings. Finally right click on your NIC and select properties. If you have enabled the 802.1x service as described before, you’ll find a tab “authentication“, you can leave the default settings, here in the picture you can see what I have selected. For advanced options feel free to follow this nice post.

windot1x

Once you plug the cable, the next pop up will show and all you need to do is to click on it and enter your credentials.

desktop_add2

desktop_auth2

Verification

Let’s now verify how the switch will react when a client tries to connect.

Client is not 802.1x capable

In this case the client doesn’t support 802.1x authentication, so according to our configuration we expect the port to fall back in the GUEST VLAN as it does:

*Mar  1 00:23:37.459: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up
*Mar  1 00:23:38.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10,
																	changed state to down

!!!! NO ANSWER FROM CLIENT, AFTER ABOUT 90 SECONDS... !!!!

*Mar  1 00:25:08.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10,
																	changed state to up

Switch#sh dot1x interface fastEthernet 0/10 details

Dot1x Info for FastEthernet0/10
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Auth-Fail-Vlan            = 20
Auth-Fail-Max-attempts    = 3
Guest-Vlan                = 10

Dot1x Authenticator Client List Empty

Domain                    = DATA
Port Status               = AUTHORIZED
Authorized By             = Guest-Vlan
Operational HostMode      = MULTI_HOST
Vlan Policy               = 10

It takes about 90 seconds for the port to time out and fallback in the GUEST VLAN. Also notice how the port is in an up-down state while the user didn’t authenticate yet. Only after the port will be brought up-up.

Successful 802.1x authentication

*Mar  1 00:35:37.699: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up

!!!! AUTH PROMPT ON THE CLIENT, AND AUTH SUCCESS... !!!!

*Mar  1 00:35:47.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10,
																	changed state to up

Switch#sh dot1x interface fastEthernet 0/10 details

Dot1x Info for FastEthernet0/10
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Auth-Fail-Vlan            = 20
Auth-Fail-Max-attempts    = 1
Guest-Vlan                = 10

Dot1x Authenticator Client List
-------------------------------

Domain                    = DATA
Supplicant                = 001e.6849.5056
    Auth SM State         = AUTHENTICATED
    Auth BEND SM State    = IDLE
Port Status               = AUTHORIZED
Authentication Method     = Dot1x
Authorized By             = Authentication Server
Vlan Policy               = N/A

Failed 802.1x authentication

*Mar  1 00:28:02.435: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up

!!!! AUTH PROMPT ON THE CLIENT, AND AUTH FAILED... !!!!

*Mar  1 00:31:14.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10,
																	changed state to up

Switch#sh dot1x interface fastEthernet 0/10 details

Dot1x Info for FastEthernet0/10
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Auth-Fail-Vlan            = 20
Auth-Fail-Max-attempts    = 1
Guest-Vlan                = 10

Dot1x Authenticator Client List
-------------------------------

Domain                    = DATA
Supplicant                = 001e.6849.5056
    Auth SM State         = AUTHENTICATED
    Auth BEND SM State    = IDLE
Port Status               = AUTHORIZED
Authentication Method     = Dot1x
Authorized By             = Auth-Fail-Vlan
Vlan Policy               = 20
About these ads

, , , , , ,

  1. #1 by chwilowki on April 11, 2013 - 3:43 pm

    This post is great. I realy love it!

  2. #2 by ytd2525 on April 13, 2013 - 9:02 am

    Reblogged this on ytd2525.

  3. #3 by Win Quibids Penny Auctions on April 16, 2013 - 12:57 am

    Hey there, This post is rather educational and fun to read. I am a large follower on the issues blogged about. I also adore reading the comments, but it seems as a whole lot of readers must stay on topic to try and add some thing towards the original topic. I would also encourage all of you to bookmark this write-up for ones most used assistance to assist get the term out. Thanks

  4. #4 by BitCoin Mining on April 19, 2013 - 7:08 am

    Pretty good post. I just stumbled upon your blog and wanted to say that I have extremely enjoyed reading your blog posts. Any way I will be subscribing to your feed and I hope you post again soon.

  5. #5 by acne on April 25, 2013 - 12:55 pm

    Extremely helpful tips is in your website,extremely good write, i will bookmark and visit again.Very best regards!

  6. #6 by tradesman on April 28, 2013 - 9:51 pm

    In all honesty this was a wonderful detailed post nevertheless as with all great authors there are several items that may be worked after. Nevertheless never ever the actual a smaller amount it was interesting.

  7. #7 by house move on May 1, 2013 - 6:01 am

    This is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would wantHaHa). You definitely put a new spin on a topic thats been written about for years. Great stuff, just great!

  8. #8 by авиабилеты омск сургут on May 1, 2013 - 4:44 pm

    I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your site to come back down the road. Cheers

  9. #9 by best home security system on May 2, 2013 - 5:55 am

    nice work. I hope to have the expertise one day.
    make up the awesome blogging.

  10. #10 by Eating Healthy on May 3, 2013 - 5:55 am

    Greetings! Very useful advice in this particular post! It is the little changes that make the largest changes.
    Many thanks for sharing!

  11. #11 by Alejandrina on May 3, 2013 - 10:20 am

    Great post friend, keep up the good work.

  12. #12 by Selfshot on May 4, 2013 - 1:50 am

    i learned a lot from reading this, you inpired me.

  13. #13 by transportation on May 6, 2013 - 12:24 pm

    you have a great blog here! would you like to make some invite posts on my blog?

  14. #14 by Darnell on May 7, 2013 - 7:29 pm

    Simply want to say your article is as astonishing.
    The clearness to your submit is just nice and i
    could think you are a professional in this subject.
    Fine together with your permission allow me to seize your feed to stay
    updated with approaching post. Thanks a million and
    please carry on the rewarding work.

  15. #15 by Kerrie on May 8, 2013 - 5:53 am

    This is a wonderful entry, you made it enjoyable to read.

  16. #16 by Oliver on May 16, 2013 - 9:22 am

    Excellent article. I’m going through many of these issues as well..

  17. #17 by Draw Something 2 Cheats on May 18, 2013 - 1:46 pm

    I’m so happy to read this. This is the type of manual that needs to be given and not the accidental misinformation that is at the other blogs. Appreciate your sharing this best doc.

  18. #18 by http://wiki.Gamecp.com/ on May 19, 2013 - 9:41 am

    Excellent site you’ve got here.. It’s hard to find quality writing like yours
    nowadays. I seriously appreciate individuals like you!

    Take care!!

  19. #19 by Darrel on May 22, 2013 - 11:44 am

    I am in fact grateful to the owner of this web site who has shared this fantastic article at here.

  20. #20 by Sofia Fillers on May 22, 2013 - 10:11 pm

    I simply want to say I am beginner to blogging and absolutely enjoyed you’re web blog. Probably I’m planning to bookmark your blog post . You really have awesome well written articles. Bless you for sharing your web site.

  21. #21 by 秋冬 ブーツ 格安通販 on December 23, 2013 - 11:46 am

    There’s definately a lot to know about this issue.
    I love all of the points you’ve made.

  22. #22 by Cisco on January 28, 2014 - 1:54 pm

    Thanks for your post, very interesting :9

  1. http://bghztzt.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 522 other followers

%d bloggers like this: