If your LAN is extending to some places where unauthorised people can just plug in and gain access to your protected network, it’s time to implement some security on your access switch. The best thing to do is to implement IEEE 802.1X port-based authentication which will enable users/machine authentication and prevent unauthorized devices from getting access switch port running when connected. IEEE 802.1X port-based authentication is mostly called simply as dot1x.
In this article I will show you how to configure some basic dot1x stuff on switch side. I will also include Windows machine side of configuration as this is something most people presume it’s working out-of-the-box but of course that’s not the case. Radius server policy is fairly simple so a screenshot of the policy will get you going. So as you see, to get dot1x running you need to configure:
- Radius server which will be our Authentication server
- Access Switch which connects users to LAN will be our radius client or in dot1x lingo Authenticator
- Clients User machines which are connected to RJ45 on the wall and thus in you access switch is in dot1x known as Supplicant
Radius server config
I will suppose you have a Windows Server in your business environment as this is mostly the case. The NPS Network policy role needs to be configured on Active Directory server and network access policy needs to be created in order to enable that server to be an authentication server.
This is the “NPS Policy for dot1x” policy example. Basically has only NAS Port Type option defined as Ethernet so that it will make a match only in case of dot1x authentication requests to our Radius server:
One more thing, which is additional security feature against bogus radius clients. Every device which will use this radius server as authentication server needs to be configured on that server as radius client. So every switch that is configured for dot1x and sends request to our Radius server needs to be added to that server as radius client. This is done by giving to the server switch’s IP address and shared key.
Radius client addition, remember, our radius client is our access switch who will send the authentication requests to our Radius server:
Access Switch config
Access switch configuration is fairly straight-forward and includes:
- Radius server definition
- Dot1x global configuration
- Per interface dot1x configuration.
If we wanted the simplest configuration possible following the above list it will look something like this:
Note that ip radius source-interface loopback 1 will be some other interface with IP address configured on your switch. This is the address of radius client that you configure above on Radius server in radius client setting. It’s the 10.10.10.111 address.
SW1(config)# interface Loopback 1 SW1(config-if)# ip address 10.10.10.111 255.255.255.0 SW1(config-if)# end
SW1# configure terminal SW1(config)# radius-server host 10.10.10.100 key 123456 SW1(config)# ip radius source-interface loopback 1 SW1(config)# dot1x system-auth-control SW1(config)# aaa new-model SW1(config)# aaa authentication dot1x default group radius SW1(config)# interface Gi1/1 SW1(config-if)# dot1x port-control auto SW1(config-if)# end
If you have a switch running some new IOS versions (like 150-2.SE6) your RADIUS server definition configuration will be slightly different than this above. It will be like this:
SW1# configure terminal SW1(config)# radius server MYRADIUSNAME SW1(config)# address ipv4 192.168.1.122 auth-port 1645 acct-port 1646 SW1(config)# key 123456
That will do. We configured radius server on the switch with his IP address and radius client pre-shared key (same one configured on server side above). After that we enabled dot1x authentication altogether inside aaa new-model global aaa authentication settings. For the end we enabled GigabitEthernet 1/1 interface to run dot1x for clients connected to it.
If someone connects to Gi1/1 with his Windows machine or any other device, it will only get connectivity if it supports dot1x and has the credentials needed to authenticate with radius server.
More additional options are available on how to proceed with unauthenticated users and what to do with different kinds of clients connected. I added more complicated dot1x switch config in a separate article that will be published soon for more enthusiastic part of audience.
Windows client machine config
It’s simple windows machines do not run Wired AutoConfig service by default so dot1x is disabled on them by default. You should change the setting on that service from stopped to automatic and restart your computer in order to get going with dot1x.
After that, the chance is that everything will work fine and credentials will be asked to be entered every time you connect to access port on the wall inside your organisation.
Ahhh…don’t you have to configure switchport with dot1x?
I did same config, client could authentificate using dot1x, but now the server is enable to reach its gateway in order to get DHCP IP Address for my clients.