802.1X Deployment Guide: Global configuration

In the previous article, I illustrated what are the dot1x and the benefits related to it. Just to remember that 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

In this post I explain how to configure dot1x in a switch (authenticator) with the best practice suggested by Cisco engineers.

For those who have not read the “802.1x: Introduction and general principles” article, I remember that the authenticator is a network access device (NAD) which provides a data link between the client and the network and can allow or block network traffic between the two, such as an switch or access point.

First of all you need to enable AAA service:

aaa new-model

1. Define the radius servers

radius server SRV-Ciscozine-ISE-1
  address ipv4 10.10.50.101 auth-port 1645 acct-port 1646
  timeout 3
  key C1sc0ZiN3

radius server SRV-Ciscozine-ISE-2
  address ipv4 10.10.50.102 auth-port 1645 acct-port 1646
  timeout 3
  key C1sc0ZiN3

Remember: The dot1x plays a crucial role in the network; if the radius server (for instance Cisco ISE server) has some trouble, noone will be authenticated! For that reason, my suggestion is to deploy at least a couple of radius servers as in the example.

Note: In the past the radius server was defined with the command “radius-server host …”). Don’t use it because is deprecated as you see:

Ciscozine(config)#radius-server host 1.2.3.34 key ciscozine-pwd
  Warning: The CLI will be deprecated soon
  'radius-server host 1.2.3.34 key ciscozine '
  Please move to 'radius server ' CLI.
Ciscozine(config)#

2. Define the radius group

aaa group server radius ISE-RADIUS-GROUP
  server name SRV-Ciscozine-ISE-1
  server name SRV-Ciscozine-ISE-2
  ip radius source-interface Vlan50

Note: My suggestion is to define the source interface to avoid the radius requests use a different interface.

Enables the least-outstanding load balancing for the global radius server group:

radius-server load-balance method least-outstanding

3. Define the radius Change of Authorization

The radius Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server such as a Cisco ISE to reinitialize authentication and apply the new policy.

aaa server radius dynamic-author
  client 10.0.50.101 server-key C1sc0ZiN3
  client 10.0.50.102 server-key C1sc0ZiN3

Note: Cisco ISE provides a CoA feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD).

4. AAA radius configuration

Configure authentication to use the radius method list (in this example, ISE-RADIUS-GROUP):

aaa authentication dot1x default group ISE-RADIUS-GROUP

Configure authorization via ISE-RADIUS-GROUP group:

aaa authorization network default group ISE-RADIUS-GROUP

Configure the switch to send accounting information to the radius servers at endpoint session start and end events:

aaa accounting dot1x default start-stop group ISE-RADIUS-GROUP

Configure the switch to send periodic accounting updates for active sessions once every two days (this value is suggested by Cisco engineers):

aaa accounting update newinfo periodic 2880

5. Radius attributes

Radius IETF attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. Below the attributes suggested for Cisco ISE.

Send the Service-Type attribute in the authentication packets, which is important for ISE to distinguish between the different authentication methods:

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple

Send the IP address of an endpoint to the RADIUS server in the access request:

radius-server attribute 8 include-in-access-req

Include the class attribute in an access request for network access authorization:

radius-server attribute 25 access-request include

Set the MAC address of the endpoint in IETF format in upper case and include information such as phone numbers, IP addresses, and MAC addresses:

radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only

Vendor-specific attributes (VSAs) are derived from a vendor-specific IETF attribute (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes; that is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26. The newly created attribute is accepted if the user accepts attribute 26.

Enable the NAS to recognize and use both accounting and authentication VSA:

radius-server vsa send authentication
radius-server vsa send accounting

6. Radius server failure detection

Define when the radius server must be marked down:

radius-server dead-criteria time 10 tries 3

Note: In this example the radius server is marked unavailable when it does not respond for 30 seconds (10seconds x 3 tries).

Define how long the radius server remain down (in minutes):

radius-server deadtime 5

Note: Once the deadtime expires, the switch marks the server as up and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as up and if the dead criteria is met, then server is marked as dead again for the deadtime interval.

To enable the automated testing feature for the radius server, use the automate-tester command in radius server configuration mode.

With this practice, the switch sends periodic test authentication messages to the radius server. It looks for a radius response from the server. A success message is not necessary, a failed authentication will suffice, because it shows that the server is alive.

username probe password 123password

radius server SRV-Ciscozine-ISE-1
  automate-tester username probe idle-time 2

radius server SRV-Ciscozine-ISE-2
  automate-tester username probe idle-time 2

Remember: The idle-time is expressed in minutes.

Note: If you want to test a success message you have to use:

username probe password 123password

and not

username probe secret 123password

Why that? Because the NAD must know the password; if you define it with ‘secret’ parameter, the password cannot be decrypted!

Note: To avoid the probe can be used by malicious people, add this command:

username probe autocommand exit

If someone tries to use the “probe” username, the system will automatically execute an “exit” command.

Send an EAPoL success message to the corresponding client when the port fail-opens or fail-closes in the event that none of the radius servers are reachable:

dot1x critical eapol

7. IP Device tracking

The main IP device tracking (IPDT) task is to keep track of connected hosts (association of MAC and IP address). In order to do this, it sends unicast Address Resolution Protocol (ARP) probes with a default interval of 30 seconds; these probes are sent to the MAC address of the host connected on the other side of the link, and use Layer 2 (L2) as the default source the MAC address of the physical interface out of which the ARP goes and a sender IP address of 0.0.0.0, based on the ARP Probe definition listed in RFC 5227.

ip device tracking

Starting Cisco IOS XE Denali 16.1.1 version, the device tracking commands are changed:

device-tracking policy IPDT_RULE
  tracking enable

The device-tracking policy is effective only when applying the policy to switchport using the following command:

interface GigabitEthernet a/b/c
  device-tracking attach-policy IPDT_RULE

Remember: It is recommend that you disable device tracking on all trunk ports to avoid MAC flapping. On Cisco IOS, use the command:

ip device tracking maximum 0

It does not truly disable IPDT, but it does limit the number of tracked hosts to zero.

8. Device sensor (optional)

In case your Cisco ISE cluster has the plus license, it is recommended enable these commands that simplifies device profiling.

Enable device sensor globally on the switch:

device-sensor accounting

Use this command to trigger updates to ISE and when the device attributes change:

device-sensor notify all-changes

Configure and apply filters for CDP, LLDP, and DHCP protocols so that only the critical attributes required for identifying the endpoint type reaches ISE.

ip dhcp snooping

device-sensor filter-list dhcp list DHCP-LIST
  option name host-name
  option name requested-address
  option name parameter-request-list
  option name class-identifier
  option name client-identifier

lldp run
cdp run

device-sensor filter-list lldp list LLDP-LIST
  tlv name system-name
  tlv name system-description
  tlv name system-capabilities

device-sensor filter-list cdp list CDP-LIST
  tlv name device-name
  tlv name address-type
  tlv name capabilities-type
  tlv name version-type
  tlv name platform-type

device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST

Note: Device sensor configuration without a filter list will overload ISE with unnecessary attributes!

9. Enable 802.1X

Enable 802.1X globally on the switch:

dot1x system-auth-control

Permit endpoints to move from one 802.1X-enabled port to another by running below command; this can happen when there is a device between an authenticated host and port (for instance, an IP Phone):

authentication mac-move permit

Note: If MAC move is disabled and an authenticated host moves to another port, it is not reauthenticated and a violation error occurs. MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.

Set up standard logging functions on the switch to support possible troubleshooting/recording for Cisco ISE functions:

epm logging

To enable session monitoring on ports where dot1x are not present:

access-session template monitor

10. Show commands

Displays 802.1x status for all interfaces:

show dot1x all

Displays status and number of packets that are sent to and received from all AAA servers:

show aaa servers

Displays entries in the ip device tracking table:

show ip device tracking all

Starting Cisco IOS XE Denali 16.1.1 the command is:

show device-tracking database

11. Troubleshoot

Some debug commands in order to troubleshoot the configuration:

debug dot1x all
debug authentication all
debug aaa authentication
debug aaa authorization
debug radius

In the next article, I’ll explain how to configure and enable dot1x on physical interfaces.

Remember: All these commands are tested on a 2960x with 15.2 release. Some commands may differ on XE or different IOS release.

References: