This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.
I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.
So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.
What needs to be done:
Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.
- We will configure the switch for dot1x but with much more options now.
- We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
- We will setup a new GPO object that will automatically setup all PC’s for dot1x.
What will we get using dot1x:
It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉
Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.
Give Internet only to unauthenticated users
Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.
“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”
If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.
It’s also nice to get the user’s port auto-enrolled to specific user VLAN what they authenticate. VLAN auto-configuration enables us to give to specific user their own VLAN configuration no matter where they are connected. Remember, today, most users have notebooks not desktop PCs and in the office environment they are probably separated in different VLANs for different departments. You do not want that users going from one office to another colleagues office to connect to the wall and get into different VLANs all the time.
With VLAN auto-configuration wherever the users connects inside the building it will be connected to his own VLAN based on his Active Directory group membership. This is really cool.
It is also pretty simple to explain how it works. You create different NPS Network access policy for every VLAN and then add Windows Group condition for different policy. On every policy you specify VLAN ID for that group/department and configure the switch like below. Every matched policy on our Radius server will then send VLAN ID as an attribute to the switch and the switch will configure the port accordingly. Of course you need to have that VLAN created on that switch, don’t be silly.
In our example below, unauthenticated users will be configured inside VLAN 99 which is our imaginary Internet only VLAn with no access to internal network environment.
Our “complex” configuration example
1. Switch configuration
dot1x system-auth-control aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authorization network default group radius authentication mac-move permit radius server MYRADIUS address ipv4 10.10.10.100 auth-port 1645 acct-port 1646 key 123456 ip radius source-interface Loopback 1 interface GigabitEthernet1/0/1 description THIS IS DOT1X ENABLED INTERFACE switchport mode access authentication event fail action authorize vlan 99 authentication event no-response action authorize vlan 99 authentication port-control auto dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast
Configuration explanation line by line
I’ll give you line by line explanation of those commands entered just in case.
First bullet is for “dot1x system-auth-control” and so on:
- Enables dot1x globally. Without this nothing dot1x will work no matter how hard you configure it 🙂
- Enables AAA network security services. You know, authentication, authorisation, accounting, those things
- Authentication for logging to this device will use locally configured users
- Authentication for dot1x will use Radius server
- Authorisation for network will also use Radius server
- mac-move is permitted so that users notebook disconnected from one port where he was authenticated can be connected to some other switch port and be authenticated automatically.
- I configure Radius server name
- Radius server IP address and UDP ports. You can skip ports, those are default ports. Use it only if you would like to use non standard ports. You don’t want to do that really.
- Radius server pre-shared key
- You set radius server source address to be Loopback 1 or any other interface with IP address that you have. This is the IP that needs to be configured on Radius side as Radius client IP address. Read here on how to do that: here
- You enter to Gigabit Ethernet 1/0/1 interface. Or ay other you want to configure with dot1x (or range of Interaces)
- Give description
- Configure as access port
- If authentication fails configure this port to VLAN 99 (That is the Guest/Isonated/Internet only port mentioned above somewhere)
- If authentications does not happen or breaks somehow, like when client is not dot1x capable, put that device to VLAN 99 too.
- Enables dot1x on that port (could be the first command, true!)
- This is mostly default by enter it to be sure, it allows EAPOL traffic to pass through the port even if the port is in unauthenticated state. Basically allowing future possible authentication request to be received from clients. If disabled “no dot1x pae authenticator” port will be dot1x enabled but it will block authentication requests so it will not really work.
- Timeout tx-period for dot1x speeds up Guests entering VLAN 99. Cisco Catalyst switches by default have values of tx-period set to 30 seconds and max-reauth-req set to 2 times. With this default settings your Guests in meeting room when connected to wall ethernet jack will need to wait for 90 seconds to get Internet access. In our config it will take about 10 to 15 seconds.
- You know what is spanning-tree portfast
2. Radius server
Here’s the NPS policy example for VLAN 55 which is VLAN ID for our imaginary “Finance” department:
- We name it:
- We put inside the condition to match only when user from Finance department tries to authenticate. And the condition to match only if it’s an dot1x request.
- We added Smart Card or other certificate authentication method. It will enable EAP-TLS authentication with user or computer certificates. I didn’t remove less secure authentication methods here but you can if you wish. Those less secure authentication methods will probably get your users the prompt for domain username and password if something goes wrong with certificate authentication.
- The best part. We set the Radius NPS policy to send attribute 55 to the switch if someone from Finance department tries to authenticate. Switch will use that to configure this user port in VLAN 55.
Of course, you will repeat this four steps and create additional NPS policies for all your users VLANs/Windows Groups.
Only thing you need then is to have machines that are members of your domain and a certificate authority installed on your AD server for certificates auto-enrollment of this machines. Ok, they probably already have at least computer certificate so we can say you are good to go here.
3. GPO – Group Policy Object configuration
Group policy will auto-configure all Windows machines members of our domain and users will not even know that something happened.
- We will change the default Wired AutoConfig service setting and make that service start at startup every time.
- We will configure dot1x on client machines to use user or computer certificates to authenticate.
Here is our GPO settings example:
Please do not forget to set the scope of the GPO so that the GPO object is linked to and OU which contains all your users machines. This GPO is a Computer GPO, that’s why! Also, in the scope tab, set the security filtering to “Everyone” or to the group containing all User Computers like “Domain Computers”.
Also, do not be afraid, if the computer is configured for dot1x with this GPO it will work on non-dot1x port too.
When connected to non-dot1x port, it will send EAPOL-Start message but if switch don’t answer with Identity request computer will simple get the connection and stop trying to authenticate.