Category: Configuration

This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.

I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.

So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.

What needs to be done:

Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.

1. We will configure the switch for dot1x but with much more options now.
2. We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
   Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
3. We will setup a new GPO object that will automatically setup all PC’s for dot1x.

What will we get using dot1x:

It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉

Basic

Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.

Give Internet only to unauthenticated users

Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.

“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”

If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.

If your LAN is extending to some places where unauthorised people can just plug in and gain access to your protected network, it’s time to implement some security on your access switch. The best thing to do is to implement IEEE 802.1X port-based authentication which will enable users/machine authentication and prevent unauthorized devices from getting access switch port running when connected. IEEE 802.1X port-based authentication is mostly called simply as dot1x.

In this article I will show you how to configure some basic dot1x stuff on switch side. I will also include Windows machine side of configuration as this is something most people presume it’s working out-of-the-box but of course that’s not the case. Radius server policy is fairly simple so a screenshot of the policy will get you going. So as you see, to get dot1x running you need to configure:

Few days ago I added an article with Config GNS3 topology for newly published INE Routing and Switching Workbook v5 Full-Scale LAB1. Here’s now the topology with starting config of TS section for LAB1.

I will not insert here any of my stories today as the same article was published before but with other topology files so if you would like more info, just go to previous post INE R&Sv5 Workbook Full-Scale Practice Lab1 made in GNS3

DOWNLOAD

…There’s a nice little pdf to get you through

HP is aware that most of networking engineers start their learning process in Cisco Networking Academy. Is is a normal course of events if you want to learn networking. Cisco has the very best study materials and best, carefully developed syllabus that is both high quality and most detailed in the world of networking. Not to mention the high reputation that engineers get with Cisco certificates standing by their names.

On the other hand, when you take an average mid-size business customer today you will probably see that he is mostly concerned about the price and not so much about the feature-set and robustness of IT equipment. And there you have your situation in which customer decides to go with HP rather than Cisco gear in their communication closet.

Yesterday INE finally added a Full-Scale LAB in their new CCIE Route and Switching blueprint 5 workbook.
I realized this morning that you maybe don’t want to spend half of your day (like me) configuring this topology in GNS3. Better to just take it from here and start your lab right away.

In my study process for the last year I made almost all my labs from INE on GNS3. In that way I was able to run the labs for more days in a row and not think about the money I would spent on rack rentals. Of course, you will still need some rack rentals particularly for troubleshooting sessions. For troubleshooting you need preconfigured rack because if you configure those topologies by yourself there is a big chance that you will see ticket answers and that will break the point of troubleshooting study process.

All my config sessions were done on GNS3 and this one in the next few days will be also done in GNS3. If you want to spare some time and get the topology ready, up and running in few minutes you can download it at the end of this article.

Read more and download files!