In the previous article, I illustrated what are the dot1x and the benefits related to it. Just to remember that 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.
In this post I explain how to configure dot1x in a switch (authenticator) with the best practice suggested by Cisco engineers.
For those who have not read the “802.1x: Introduction and general principles” article, I remember that the authenticator is a network access device (NAD) which provides a data link between the client and the network and can allow or block network traffic between the two, such as an switch or access point.
First of all you need to enable AAA service:
1. Define the radius servers
radius server SRV-Ciscozine-ISE-1 address ipv4 10.10.50.101 auth-port 1645 acct-port 1646 timeout 3 key C1sc0ZiN3 radius server SRV-Ciscozine-ISE-2 address ipv4 10.10.50.102 auth-port 1645 acct-port 1646 timeout 3 key C1sc0ZiN3
Remember: The dot1x plays a crucial role in the network; if the radius server (for instance Cisco ISE server) has some trouble, noone will be authenticated! For that reason, my suggestion is to deploy at least a couple of radius servers as in the example.
Note: In the past the radius server was defined with the command “radius-server host …”). Don’t use it because is deprecated as you see:
Ciscozine(config)#radius-server host 126.96.36.199 key ciscozine-pwd Warning: The CLI will be deprecated soon 'radius-server host 188.8.131.52 key ciscozine ' Please move to 'radius server ' CLI. Ciscozine(config)#
2. Define the radius group
aaa group server radius ISE-RADIUS-GROUP server name SRV-Ciscozine-ISE-1 server name SRV-Ciscozine-ISE-2 ip radius source-interface Vlan50
Note: My suggestion is to define the source interface to avoid the radius requests use a different interface.
Enables the least-outstanding load balancing for the global radius server group:
radius-server load-balance method least-outstanding
3. Define the radius Change of Authorization
The radius Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server such as a Cisco ISE to reinitialize authentication and apply the new policy.
aaa server radius dynamic-author client 10.0.50.101 server-key C1sc0ZiN3 client 10.0.50.102 server-key C1sc0ZiN3
Note: Cisco ISE provides a CoA feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD).
4. AAA radius configuration
Configure authentication to use the radius method list (in this example, ISE-RADIUS-GROUP):
aaa authentication dot1x default group ISE-RADIUS-GROUP
Configure authorization via ISE-RADIUS-GROUP group:
aaa authorization network default group ISE-RADIUS-GROUP
Configure the switch to send accounting information to the radius servers at endpoint session start and end events:
aaa accounting dot1x default start-stop group ISE-RADIUS-GROUP
Configure the switch to send periodic accounting updates for active sessions once every two days (this value is suggested by Cisco engineers):
aaa accounting update newinfo periodic 2880
5. Radius attributes
Radius IETF attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. Below the attributes suggested for Cisco ISE.
Send the Service-Type attribute in the authentication packets, which is important for ISE to distinguish between the different authentication methods:
radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple
Send the IP address of an endpoint to the RADIUS server in the access request:
radius-server attribute 8 include-in-access-req
Include the class attribute in an access request for network access authorization:
radius-server attribute 25 access-request include
Set the MAC address of the endpoint in IETF format in upper case and include information such as phone numbers, IP addresses, and MAC addresses:
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
Vendor-specific attributes (VSAs) are derived from a vendor-specific IETF attribute (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes; that is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26. The newly created attribute is accepted if the user accepts attribute 26.
Enable the NAS to recognize and use both accounting and authentication VSA:
radius-server vsa send authentication
radius-server vsa send accounting
6. Radius server failure detection
Define when the radius server must be marked down:
radius-server dead-criteria time 10 tries 3
Note: In this example the radius server is marked unavailable when it does not respond for 30 seconds (10seconds x 3 tries).
Define how long the radius server remain down (in minutes):
radius-server deadtime 5
Note: Once the deadtime expires, the switch marks the server as up and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as up and if the dead criteria is met, then server is marked as dead again for the deadtime interval.
To enable the automated testing feature for the radius server, use the automate-tester command in radius server configuration mode.
With this practice, the switch sends periodic test authentication messages to the radius server. It looks for a radius response from the server. A success message is not necessary, a failed authentication will suffice, because it shows that the server is alive.
username probe password 123password radius server SRV-Ciscozine-ISE-1 automate-tester username probe idle-time 2 radius server SRV-Ciscozine-ISE-2 automate-tester username probe idle-time 2
Remember: The idle-time is expressed in minutes.
Note: If you want to test a success message you have to use:
username probe password 123password
username probe secret 123password
Why that? Because the NAD must know the password; if you define it with ‘secret’ parameter, the password cannot be decrypted!
Note: To avoid the probe can be used by malicious people, add this command:
username probe autocommand exit
If someone tries to use the “probe” username, the system will automatically execute an “exit” command.
Send an EAPoL success message to the corresponding client when the port fail-opens or fail-closes in the event that none of the radius servers are reachable:
dot1x critical eapol
7. IP Device tracking
The main IP device tracking (IPDT) task is to keep track of connected hosts (association of MAC and IP address). In order to do this, it sends unicast Address Resolution Protocol (ARP) probes with a default interval of 30 seconds; these probes are sent to the MAC address of the host connected on the other side of the link, and use Layer 2 (L2) as the default source the MAC address of the physical interface out of which the ARP goes and a sender IP address of 0.0.0.0, based on the ARP Probe definition listed in RFC 5227.
ip device tracking
Starting Cisco IOS XE Denali 16.1.1 version, the device tracking commands are changed:
device-tracking policy IPDT_RULE tracking enable
The device-tracking policy is effective only when applying the policy to switchport using the following command:
interface GigabitEthernet a/b/c device-tracking attach-policy IPDT_RULE
Remember: It is recommend that you disable device tracking on all trunk ports to avoid MAC flapping. On Cisco IOS, use the command:
ip device tracking maximum 0
It does not truly disable IPDT, but it does limit the number of tracked hosts to zero.
8. Device sensor (optional)
In case your Cisco ISE cluster has the plus license, it is recommended enable these commands that simplifies device profiling.
Enable device sensor globally on the switch:
Use this command to trigger updates to ISE and when the device attributes change:
device-sensor notify all-changes
Configure and apply filters for CDP, LLDP, and DHCP protocols so that only the critical attributes required for identifying the endpoint type reaches ISE.
ip dhcp snooping device-sensor filter-list dhcp list DHCP-LIST option name host-name option name requested-address option name parameter-request-list option name class-identifier option name client-identifier lldp run cdp run device-sensor filter-list lldp list LLDP-LIST tlv name system-name tlv name system-description tlv name system-capabilities device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name capabilities-type tlv name version-type tlv name platform-type device-sensor filter-spec dhcp include list DHCP-LIST device-sensor filter-spec lldp include list LLDP-LIST device-sensor filter-spec cdp include list CDP-LIST
Note: Device sensor configuration without a filter list will overload ISE with unnecessary attributes!
9. Enable 802.1X
Enable 802.1X globally on the switch:
Permit endpoints to move from one 802.1X-enabled port to another by running below command; this can happen when there is a device between an authenticated host and port (for instance, an IP Phone):
authentication mac-move permit
Note: If MAC move is disabled and an authenticated host moves to another port, it is not reauthenticated and a violation error occurs. MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
Set up standard logging functions on the switch to support possible troubleshooting/recording for Cisco ISE functions:
To enable session monitoring on ports where dot1x are not present:
access-session template monitor
10. Show commands
Displays 802.1x status for all interfaces:
show dot1x all
Displays status and number of packets that are sent to and received from all AAA servers:
show aaa servers
Displays entries in the ip device tracking table:
show ip device tracking all
Starting Cisco IOS XE Denali 16.1.1 the command is:
show device-tracking database
Some debug commands in order to troubleshoot the configuration:
debug dot1x all
debug authentication all
debug aaa authentication
debug aaa authorization
In the next article, I’ll explain how to configure and enable dot1x on physical interfaces.
Remember: All these commands are tested on a 2960x with 15.2 release. Some commands may differ on XE or different IOS release.