Ads 468x60px

Monday, June 6, 2011

802.1x - Maipu Configurations


As discussed in last post, In this section we will see configuration examples for 802.1x for Maipu routers and Switches, Here I covered Client base authentication, Mac base authentication, Radius based authentication.

Device Used - MP 1800 series

Let's see Client base authentication scenario - 

802.1X Client Authentication

Topology Details
As shown in diagram, one user is connected to Port 0/1 of the device. The device manager of the device hopes to perform the 802.1X authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. During the authentication, use the Radius authentication mode (the keys of the device and server are both set as maipu).
  2. When the user does not pass the authentication, he can access the Update Server (Update Server is in Vlan 10).
  3. After passing the authentication, the user can access Internet (the port of the device connected to Internet is in VLAN 5).
  4. After the user passes the authentication, the other users on the port can access Internet without authentication.

Topology

802.1x configuration diagram
Description

A host accesses the network via 802.1X authentication. The authentication server is a radius server. The accessed port 0/1 of the client host (Supplicant) is in the VLAN 1; the authentication server is in the VLAN 2; the Update Server is used for downloading and upgrading the client software, is in the VLAN 10; the port 0/2 connects to Internet of the switch is in the VLAN 5.

Configuration-

Command
Description
router#conf terminal
Enter the configuration mode
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default radius
Configure AAA as the radius authentication mode
router(config)#radius-server host 128.255.42.1 key maipu
Configure the radius server address and key
router(config)#vlan 2
Create vlan2
router(config-vlan2)#exit
Exit the vlan configuration mode
router(config)#port 0/3
Enter the port configuration mode
router(config-port-0/3)#port access vlan 2
Add port 0/3 into VLAN 2
router(config-port-0/3)#exit
Exit the port configuration mode
router(config)#interface vlan 2
Enter the interface configuration mode
router(config-if-vlan2)#ip address 128.255.42.10 255.255.255.0
Configure the address information of vlan2 interface
router(config-if-vlan2)#exit
Exit the interface configuration mode
router(config)#vlan 5
Create vlan5
router(config-vlan5)#exit
Exit the vlan configuration mode
router(config)#port 0/2
Enter the port configuration mode
router(config-port-0/2)#port access vlan 5
Add port 0/2 into VLAN 5
router(config-port-0/2)#exit
Exit the port configuration mode
router(config)#vlan 10
Create vlan 10
router(config-vlan10)#exit
Exit the vlan configuration mode
router(config)#port 0/4
Enter the port configuration mode
router(config-port-0/4)#port access vlan 10
Add port 0/4 into vlan10
router(config-port-0/4)#port 0/1
Switch to port 0/1 configuration mode
router(config-port-0/1)#dot1x port-control enable
Enable the 802.1X authentication mode
router(config-port-0/1)#dot1x port-method portbased
Configure the port-based access control mode
router(config-port-0/1)#dot1x guest-vlan 10
Configure vlan10 as guest vlan
router(config-port-0/1)#exit
Exit the port configuration
router(config)#



802.1x configuration diagram

The port 0/1 is added into the Guest VLAN, and the supplicant and update server are both in VLAN10 at the time. The supplicant can access the Update Server and download the 802.1X client:


802.1x configuration diagram

When the user passes the authentication and is online, the authentication server assigns VLAN 5. Right now the supplicant and port 0/2 are both in VLAN 5, and the Supplicant can access the Internet.

Let’s have look for MAC base authentication -

MAC Address Authentication

Local Authentication

Topology Details - 

As shown in diagram, one user is connected to port 0/0 of the device. The manager of the device hopes to perform the MAC address authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. The device detects whether the user is offline with an interval of 120s.
  2.  After the user authentication fails, the authentication can be performed again only after 5 minutes.
  3. During the authentication, use the local authentication mode.
  4. Use the source MAC of the user as the user name and password and the MAC address uses the hyphen “-“.


Topology

Local authentication mode

Configuration

Command
Description
router#conf terminal
Enter the configuration mode
router(config)#user 00-01-7a-22-22-33 password 0 00-01-7a-22-22-33
Configure the local user; the user name and password are the MAC address of the user to be connected 00-01-7a-22-22-33
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default local
Configure the AAA local authentication mode
router(config)#port 0/0
Enter the port configuration mode
router(config-port-0/0)#dot1x timeout offline-detect 120
Configure performing the offline detection for the user with an interval of 120s
router(config-port-0/0)#dot1x timeout quiet-period 300
Configure the quiet time as 5 minutes (300s) after the user authentication fails
router(config-port-0/0)#dot1x mac-authentication enable
Enable the MAC authentication function on the port
router(config-port-0/0)#dot1x mac-authentication user-name-format mac-address with-hyphen
Configure the MAC authentication user name format: use the MAC information with hyphen - as the use name and password (the option is the default configuration)
router(config-port-0/0)#exit
Exit the port configuration mode

The show running-config command is used to view the current configuration information:

router#show running-config
Building Configuration...done
……
user 00-01-7a-22-22-33 password 0 00-01-7a-22-22-33
……
aaa new-model
aaa authentication connection default local
……
port 0/0
  dot1x timeout offline-detect 120
 dot1x timeout quiet-period 300
 dot1x mac-authentication enable
 exit
……

Let’s have look for Radius Authentication -

RADIUS Authentication

Topology Details

As shown in diagram, one user is connected to port 0/0 of the device. The device manager hopes to perform the MAC address authentication for the user access on the port, so as to control the access for Internet.

Requirements:
  1. The device detects whether the user is offline with an interval of 120s.
  2. After the user authentication fails, the authentication can be performed again only after 5 minutes.
  3. During the authentication, use the Radius authentication mode (set the keys of the device and server as maipu).
  4. During the authentication, adopt the fixed user name format; the user name is abcd and the password is 1234.


Topology

Radius authentication mode
Configuration

Note-
When using RADIUS authentication, ensure that the route between the device and the RADIUS is available and add the user name and password successfully on the RADIUS server.
Command

Description
router#conf terminal
Enter the configuration mode
router(config)#aaa new-model
Enable the AAA mode
router(config)#aaa authentication connection default radius
Configure AAA as the radius authentication mode
router(config)#radius-server host 128.255.42.1 key maipu
Configure the Radius server address and key
router(config)#interface vlan 1
Enter the interface configuration mode
router(config-if-vlan1)#ip address 128.255.42.10 255.255.255.0
Configure the address information of vlan1 interface
router(config-if-vlan1)#exit
Exit the interface configuration mode
router(config)#port 0/0
Enter the port configuration mode
router(config-port-0/0)#dot1x timeout offline-detect 120
Configure performing the offline detection for the user with an interval of 120
router(config-port-0/0)#dot1x timeout quiet-period 300
Configure the quiet time as 5 minutes after the user authentication fails (300s)
router(config-port-0/0)#dot1x mac-authentication enable
Enable the port MAC authentication function
router(config-port-0/0)#dot1x mac-authentication user-name-format fixed account abcd password 1234
Configure the MAC authentication user name format: fixed user name format; the user name is abcd and the password is 1234
router(config-port-0/0)#exit
Exit the port configuration mode


The show running-config command can be used to view the current configuration information:

router#show running-config
Building Configuration...done
……
aaa new-model
aaa authentication connection default radius
……
port 0/0
 dot1x timeout offline-detect 120
 dot1x timeout quiet-period 300
 dot1x mac-authentication enable
dot1x mac-authentication user-name-format fixed account abcd password 1234
 exit
……
interface vlan1
 ip address 128.255.42.10 255.255.255.0
 exit
radius-server host 128.255.42.1 auth-port 1645 acct-port 1646 priority 0 key maipu
……

Monitoring Commands

Command

Description
show dot1x
Display the default parameter information of 802.1x
show dot1x statistic
Display the 802.1x statistics information
show dot1x user
{port|link-aggregation|summary }
Display the 802.1x user information of the specified port. If the port is not specified, display all user information. If summary is input, display the user quantity information.
show dot1x config
{port|link-aggregation}
Display the 802.1x configuration of a specified port; if no port is specified, display the 802.1x configuration of all ports (the ports which are not configured with any 802.1x item are not displayed)

Monitoring Command Output

For environment and configuration, refer to client base authentication

router#show dot1x user

Displayed result:
NO.  VLAN   MAC_ADDRESS   PORT NAME    STATUS   IP_ADDRESS   USERTYPE   USERNAME
----  ----  --------------  -------------------  -------------  ---------------  --------  --------
1     10  0005.5de4.0e25      port 0/1   Unauthorized   128.255.42.111    DOT1X  abcd
     Total: 1   Authorized: 0   Unauthorized: 1   Unknown: 0

Description and analysis:
No: user serial number
VLAN: the VLAN of the user port
MAC_ADDRESS: user MAC address
PORT NAME: port name
STATUS: user authorization status
IP_ADDRESS: user IP address
USERTYPE: the user type (DOT1X user or MAC authentication user)
USERNAME: user name

Debug Command

View the user login authentication information via the command debug dot1x all.

Hope this configuration will help you for 802.1x configurations.

For any queries and feedback, Plz put comment with Name and mail id . you can use Name/URL option in profile ...


For any comments and feedback.Plz comment with your mail and Name, you can use Name/URL option in profile.

Posted by Uttamkumar at 2:16 PM 36 comments
Labels: , ,

Friday, June 3, 2011

802.1x - Maipu


In this section, we will see about 802.1x authentication in Maipu Routers and switches. As we all know about 802.1x is related authentication used in Switches.  Let’s see about it.

802.1X is a broadband access authentication solution put forward by IEEE in June, 2001. If defines the Port-Based Network Access Control. By utilizing LAN’s physical access features of IEEE 802 architecture, 802.1X provides a system of methods for authenticating and authorizing devices access to LAN ports via point-to-point.

802.1X features:
  1. Terse solution: 802.1X only concerns the enabling and disabling of a port. The port is enabled when legal users (by user name and password) access; and the port is disabled when illegal users or no user access. The result of authentication depends on changes of the port status. This is the simplest solution to realize the authentication among various authentication technologies.
  2. The EAP protocol used by 802.1X only defines the means of communication authentication information, but doesn’t define a concrete authentication mechanism. The authentication mechanism can be selected flexibly (including Smart Card, Kerberos, Public Key Encryption and One Time Password)
  3. IEEE 802.1X protocol is a layer 2 protocol, and is unnecessary to reach layer.In the authentication process, the client system doesn’t need an IP address. When the authentication begins, the EAPOL frame uses 01-80-c2-00-00-03 as the destination MAC address, and uses the MAC address of the sender as the source MAC address.
  4. Adopt the pure Ethernet technology. It is unnecessary to consider about the encapsulation problem for the packets passed the authentication. Therefore, the efficiency is high and the bottleneck of the network is cleared. 
  5. After users passed the authentication, the service flow and the authentication flow are separated, and there is no special requirement for processing the subsequent data packets. The service can be very flexible and has great advantages when developing services like the broadband multicasting. All services are not limited by the authentication mode. Meanwhile, the charging mode can be chose flexibly, and it supports the charging mode which is according to the users’ duration.
  6. 802.1X realizes the dispersed access control (realized by the Ethernet switch which is closed to the user and supports the 802.1X protocol) and the centralized authentication management (supports RADIUS and TACACS+ server). The whole authentication structure is harmonious.


Expansions of Standard 802.1X

Maipu series switches not only support the standard 802.1X protocol but also expand and optimize it to meet various application demands.

  1. It supports multiple user access via one port. The standard 802.1X protocol is realized based on the port, which means as long as one user of the port is authenticated successfully, other users can use the network sources without authentication. When the user is offline, other users are also denied to use the network. Maipu series switches support the user-based authentication (base on the MAC addresses). When the port is configured as the user-based authentication, each user of the port needs to be authenticated separately, only the user who passed the authentication can use the network source.  If one user is offline, only that user cannot use the network and this doesn’t affect other authenticated users using the network.
  2. Support the EAP termination. The standard 802.1X protocol prescribes that the client interacts with the authentication server via EAP packets. The device serves as the “EAP relay” in the interaction. The device encapsulates the EAP data from the client into other protocols, such as Radius protocol, and then transmits it to the authentication server. In the same way, the device encapsulates the EAP data sent from the authentication server into the EAPOL packets and transmits to client.  We call this kind of interactive mode as the EAP relay. The EAP relay requests that the authentication server supports the EAP protocol; otherwise the authentication server cannot interact with the client by using EAP. Consider about the practical application environment, the authentication server that was deployed earlier may not support the EAP protocol. Maipu series switches expand this and support the EAP termination mode. The EAP data from the client is not transmitted directly to the authentication server, but the device completes the EAP interaction with the client and picks up the authentication information of the user and then transmits it to the authentication server to authenticate.


Auto Vlan
After an 802.1X user passed authentication on the server, the server transmits the authorization information to the device. If the server is enabled with the VLAN assigning function, the assigned VLAN information is included in the authorization information. The device adds the port to the assigned VLAN. We call the assigned VLAN as the Auto VLAN.
  1. If the RADIUS server authentication information doesn’t have the assigned VLAN information, the attributes of the port VLAN are not changed after the authentication is passed.
  2. If RADIUS server authentication information has the assigned VLAN information, judge if the assigned auto VLAN exists after the authentication is passed. If it exists,  add the port into the Auto VLAN with untag mode, and the default VID of the port is the VID of the Auto VLAN; if the Auto VLAN doesn’t exist, the attributes of the port VLAN are not changed, and the authentication is failed.
  3. After the user goes offline, the port is returned to the “not authenticated” status and is deleted from the Auto VLAN. The default VID of the port is also returned to the original VID.


The assigned Auto VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the user-configured VLAN (that is Config VLAN), it is the Auto VLAN that takes effect after a user passed authentication.  The user configured VLAN takes effect after the user goes offline.
The three radius attributes that associated with the features of assigning VLAN are as follows:
  1. [64] Tunnel-Type = VLAN
  2. [65] Tunnel-Medium-Type = 802
  3. [81] Tunnel-Private-Group-ID = VLAN ID


Note

  1. Auto VLAN cannot be applied in dynamic VLAN, for example, if the VLAN ID specified by auto VLAN is the VLAN automatically created by gvrp, the authentication of 802.1x user may fail.
  2. To ensure normal application of various functions, assign different VLAN IDs for voice vlan, private vlan, and 802.1x auto vlan.


Guest Vlan

Guest VLAN function is used to permit a not-authenticated user to access some special resources. The user authentication port belongs to a default VLAN (that is Guest VLAN) before it passes the 802.1X authentication.

Users can access the resources of that VLAN without authentication, but cannot access other network resources; after the authentication is passed, the port leaves the Guest VLAN and the user can access other network resources.

Users obtain 802.1X client software from the Guest VLAN to upgrade the client or execute other application upgrade programs (such as anti-virus software’s, operation system mends). After configured the Guest VLAN on a port successfully, the port is added into the Guest VLAN by the device.

After enabled the 802.1X features and correctly configured the Guest VLAN, the port is added into the Guest VLAN with untagged mode. At the time, the user of the port in the Guest VLAN initiates authentication. If the authentication is failed, the port stays in the Guest VLAN; otherwise, two cases may occur:

  1. If authentication server assigns a VLAN, the port leaves the Guest VLAN and joins the assigned VLAN. If the user goes offline, the port returns to the Guest VLAN.
  2. If the authentication server doesn’t assign any VLAN, the port leaves the Guest VLAN and joins the Config VLAN. If the user goes offline, the port joins the Guest VLAN.

Note
The guest vlan of the port cannot be applied in dynamic vlan, for example, if the VLAN ID specified by guest vlan is the VLAN automatically created by gvrp, the guest vlan can be configured successfully, but it cannot take effect.


In next post I will share 802.1x configuration for Maipu 1800 Router, That router is having inbuilt switch ports. 

Hope this theory information will be useful for you. 

For any feedback and query, Plz put comment with your Name and mail id.

Posted by Uttamkumar at 2:43 PM 13 comments
Labels: ,
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...