802.1X Authentication for Wireless and Wired Connections: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
(802.1X Authentication for Wireless and Wired Access - CNT2831 Project Spring 2012)
 
No edit summary
Line 1: Line 1:
802.1X Authentication for  Wireless and Wired Connections
=802.1X Authentication for  Wireless and Wired Connections=
Description
 
==Description==
The project demonstrates Radius authentication for three types of access.
The project demonstrates Radius authentication for three types of access.
VTY and Console access to Cisco IOS devices, specifically a 3550 switch
* VTY and Console access to Cisco IOS devices, specifically a 3550 switch
User authentication for access at wired ports
* User authentication for access at wired ports
User authentication for wireless access
* User authentication for wireless access
 
The project integrates the CCNA Wireless class with the CCNA Security class.  The project also demonstrates that Cisco wireless could be configured for WPA-2 encryption with 802.1X authentication.
The project integrates the CCNA Wireless class with the CCNA Security class.  The project also demonstrates that Cisco wireless could be configured for WPA-2 encryption with 802.1X authentication.


Participants:
Participants:
Greg Polanski
* Greg Polanski
Mark Benolken  
* Mark Benolken  
802.1X Basics
 
==802.1X Basics==
802.1X authentication has 3 components.
802.1X authentication has 3 components.
Supplicant.  The supplicant is the device that wants to attach to the WLAN or LAN.  The phrase, supplicant, is also used to describe the software in the Windows laptop/desktop that provides authentication credentials.   
* '''Supplicant.''' The supplicant is the device that wants to attach to the WLAN or LAN.  The phrase, supplicant, is also used to describe the software in the Windows laptop/desktop that provides authentication credentials.   
Authenticator.  Device that controls access to the network.  The authenticator queries the supplicant for credentials and passes the credentials to the authentication server for verification.  The switch is the authenticator for wired access points.  The Wireless LAN Controller (WLC) is the authenticator for wireless access.
* '''Authenticator.''' Device that controls access to the network.  The authenticator queries the supplicant for credentials and passes the credentials to the authentication server for verification.  The switch is the authenticator for wired access points.  The Wireless LAN Controller (WLC) is the authenticator for wireless access.
Authentication Server.  The authentication server validates the credentials.  The authentication server is TekRADIUS LT on a Windows 7 laptop.   
* '''Authentication Server.''' The authentication server validates the credentials.  The authentication server is TekRADIUS LT on a Windows 7 laptop.   


The Windows supplicant interacts with the Radius server in two ways, with and without a certificate.  The interaction is determined by the “Validate Server Certificate” setting in the “Protected EAP Properties” window.  
The Windows supplicant interacts with the Radius server in two ways, with and without a certificate.  The interaction is determined by the “Validate Server Certificate” setting in the “Protected EAP Properties” window.  
Certificate.  If the “Validate Server Certificate” setting is checked, the Windows supplicant uses a certificate as part of the credential exchange with the Radius Server.  In a corporate environment, this certificate can be pushed to the corporate laptops.  In this project, a self signed certificate was created on the radius server and was copied to the laptop.
* Certificate.  If the “Validate Server Certificate” setting is checked, the Windows supplicant uses a certificate as part of the credential exchange with the Radius Server.  In a corporate environment, this certificate can be pushed to the corporate laptops.  In this project, a self signed certificate was created on the radius server and was copied to the laptop.
No Certificate.  If the “Validate Server Certificate” setting is clear, the Windows supplicant does not use the certificate as part of the credential interaction.
* No Certificate.  If the “Validate Server Certificate” setting is clear, the Windows supplicant does not use the certificate as part of the credential interaction.


Demonstration
==Demonstration==
The demonstration consisted of the following activities.
The demonstration consisted of the following activities.
Windows 7 connection to Wireless Data SSID with username and password authentication
* Windows 7 connection to Wireless Data SSID with username and password authentication
Windows 7 connection to Wired Data VLAN with username and password authentication
* Windows 7 connection to Wired Data VLAN with username and password authentication
Windows XP connection to Wireless Data SSID with username and password authentication
* Windows XP connection to Wireless Data SSID with username and password authentication
Windows XP connection to Wired Data VLAN with username and password authentication
* Windows XP connection to Wired Data VLAN with username and password authentication
Ssh connection to 3550 Switch with radius authentication
* Ssh connection to 3550 Switch with radius authentication


The Windows configuration for 802.1X authentication required the following activities.
The Windows configuration for 802.1X authentication required the following activities.
Enabling authentication in the wireless network definition.  Two options were explored.
* Enabling authentication in the wireless network definition.  Two options were explored.
o Using a certificate between the laptop and the radius server
** Using a certificate between the laptop and the radius server
o Not using a certificate between the laptop and the radius server
** Not using a certificate between the laptop and the radius server
Enabling 802.1X authentication on the wired interface
* Enabling 802.1X authentication on the wired interface


Configuration
==Configuration==
The projected used the following equipment.  
The projected used the following equipment.  
Cisco 2811 Router with Wireless LAN Controller module
* Cisco 2811 Router with Wireless LAN Controller module
Cisco 3550 POE Switch with Layer 2 and Layer 3 capabilities
* Cisco 3550 POE Switch with Layer 2 and Layer 3 capabilities
Cisco 1242 Wireless Access Point
* Cisco 1242 Wireless Access Point
Windows 7 and Windows XP laptops
* Windows 7 and Windows XP laptops
 
The router hosted the wireless controller and provided DHCP services both to the wired and wireless VLANs. The router used EIGRP and connected to the switch via a layer 3 link (172.16.252.0/30).  The 3550 switch provided power to the access point, access control on the wired ports, and relayed DHCP requests to the router.  
The router hosted the wireless controller and provided DHCP services both to the wired and wireless VLANs. The router used EIGRP and connected to the switch via a layer 3 link (172.16.252.0/30).  The 3550 switch provided power to the access point, access control on the wired ports, and relayed DHCP requests to the router.  
   
   
Windows 7 Laptop
===Windows 7 Laptop===
Wireless access has several selections for authentication and encryption  Three examples are shown below.  One goal of this project was to identify the end user differences when using alternate connection techniques.
Wireless access has several selections for authentication and encryption  Three examples are shown below.  One goal of this project was to identify the end user differences when using alternate connection techniques.
Open.  No Encryption, No Authentication
* Open.  No Encryption, No Authentication
WPA2-PSK.  Encryption, with authentication based upon a fixed password
* WPA2-PSK.  Encryption, with authentication based upon a fixed password
WPA2-Enterprise.  Encryption with authentication based upon credentials that are unique to the individual.
* WPA2-Enterprise.  Encryption with authentication based upon credentials that are unique to the individual.
Open.  Most public Wifi hotspots, such as hotspots at coffee shops and public libraries are open.  At Inver Hills CC, the SSID, ihcc, is open.  The laptop detects the SSID and the owner clicks “Connect”, and the laptop is on the network.  The SafeConnect web page is accessible only after the wireless connection is complete.  All wireless traffic is not encrypted and can be snooped by others within radio range.
 
WPA2-PSK.  WPA2-PSK is common in the home environment.  A pre-shared key is set in the laptop and the wireless access point.  The laptop owner must define the wireless network and set the key.  An example of the configuration screen follows.   
'''Open.''' Most public Wifi hotspots, such as hotspots at coffee shops and public libraries are open.  At Inver Hills CC, the SSID, ihcc, is open.  The laptop detects the SSID and the owner clicks “Connect”, and the laptop is on the network.  The SafeConnect web page is accessible only after the wireless connection is complete.  All wireless traffic is not encrypted and can be snooped by others within radio range.
   
 
'''WPA2-PSK.''' WPA2-PSK is common in the home environment.  A pre-shared key is set in the laptop and the wireless access point.  The laptop owner must define the wireless network and set the key.  An example of the configuration screen follows.   
 
'''WPA2-Enterprise.'''  The WPA2-Enterprise uses authentication that is unique to the individual. In a corporate environment using Active Directory, the laptop and then the user authenticates to the wireless using AD credentials.  The wireless controller checks the credentials via a Radius or TACACS+ server against AD.  In a corporate environment, authentication can be seamless since the wireless configuration and authentication certificate can be pushed to the laptop when it is configured and the laptop caches the user’s AD credentials.


WPA2-Enterprise.  The WPA2-Enterprise uses authentication that is unique to the individual.  In a corporate environment using Active Directory, the laptop and then the user authenticates to the wireless using AD credentials.  The wireless controller checks the credentials via a Radius or TACACS+ server against AD.  In a corporate environment, authentication can be seamless since the wireless configuration and authentication certificate can be pushed to the laptop when it is configured and the laptop caches the user’s AD credentials.
In an environment where the end user owns the laptop, the wireless network must be configured.
In an environment where the end user owns the laptop, the wireless network must be configured.
Wireless Network Configuration  
 
====Wireless Network Configuration====
 
When using encryption and authentication, the wireless network must be defined on the laptop.  The following screen shots focus on authentication.  The wireless network definition begins with “Set up a new connection or network” or “Manage wireless networks” on the “Network and Sharing Center” screen.
When using encryption and authentication, the wireless network must be defined on the laptop.  The following screen shots focus on authentication.  The wireless network definition begins with “Set up a new connection or network” or “Manage wireless networks” on the “Network and Sharing Center” screen.
Define the SSID name, the security, the encryption, and whether the connection should be automatic.  The SSID is “Data”.
Define the SSID name, the security, the encryption, and whether the connection should be automatic.  The SSID is “Data”.


Confirm the settings.
Confirm the settings.


Select the “Security” tab to configure the authentication.  Protected EAP (PEAP) is the correct setting.  Click on “Settings” to reach the next screen.
Select the “Security” tab to configure the authentication.  Protected EAP (PEAP) is the correct setting.  Click on “Settings” to reach the next screen.


The check box, “Validate server certificate”, affects how the laptop supplicant interacts with the Radius server.  If the box is checked, the laptop must have a certificate from the Radius server.  The authentication credentials can be read only by the known Radius server.  If the laptop authenticates, the radius server is trusted, which means the access point and network are trusted.  No one can setup an “evil twin” access point that looks like a production AP and fool the laptop.  The cost is that the certificate must be installed on the laptop.
The check box, “Validate server certificate”, affects how the laptop supplicant interacts with the Radius server.  If the box is checked, the laptop must have a certificate from the Radius server.  The authentication credentials can be read only by the known Radius server.  If the laptop authenticates, the radius server is trusted, which means the access point and network are trusted.  No one can setup an “evil twin” access point that looks like a production AP and fool the laptop.  The cost is that the certificate must be installed on the laptop.
The example shows the configuration where a certificate is not needed, since the checkbox is clear.  Clear the Fast Reconnect check box unless you are using cached credentials.  Click “Configure …” to go to the next screen.
The example shows the configuration where a certificate is not needed, since the checkbox is clear.  Clear the Fast Reconnect check box unless you are using cached credentials.  Click “Configure …” to go to the next screen.


The following popup determines if a authentication popup appears.  If the windows login on the laptop uses the same name and password that is needed for wireless authentication, check the box.  The credentials will be passed to the access point automatically.  In a corporate environment with AD, the box is checked so authentication to the wireless is automatic.
The following popup determines if a authentication popup appears.  If the windows login on the laptop uses the same name and password that is needed for wireless authentication, check the box.  The credentials will be passed to the access point automatically.  In a corporate environment with AD, the box is checked so authentication to the wireless is automatic.


If the checkbox is clear, the following popup will appear so the user can enter the userame and password directly.
If the checkbox is clear, the following popup will appear so the user can enter the userame and password directly.
   
   
References
=====References=====
http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication
* http://windows.microsoft.com/en-US/windows-vista/Enable-802-1X-authentication
http://www.globalknowledge.ae/knowledge%20centre/white%20papers/networking%20%20wireless/wpa2%20security%20choosing%20the%20ri.aspx
* http://www.globalknowledge.ae/knowledge%20centre/white%20papers/networking%20%20wireless/wpa2%20security%20choosing%20the%20ri.aspx
Wired Configuration
 
====Wired Configuration====
802.1X authentication for a wired connection begins with starting the service on the system.  The services screen is reached through the command, “services.msc”.  Here the command is typed in the Run window.
802.1X authentication for a wired connection begins with starting the service on the system.  The services screen is reached through the command, “services.msc”.  Here the command is typed in the Run window.
   
   
Line 90: Line 96:
   
   


Enable the 802.1X authentication.
=====Enable the 802.1X authentication.=====
   
   


Line 99: Line 105:
   
   


Windows XP Laptop
===Windows XP Laptop===
The wireless and wired configuration steps for a Windows XP laptop is similar to the effort for Windows 7.  Windows XP caches the credentials in the registry.  The activity to clear the credentials is documented in http://support.microsoft.com/kb/823731
The wireless and wired configuration steps for a Windows XP laptop is similar to the effort for Windows 7.  Windows XP caches the credentials in the registry.  The activity to clear the credentials is documented in http://support.microsoft.com/kb/823731
References
====References====
http://en.wikipedia.org/wiki/IEEE_802.1X
* http://en.wikipedia.org/wiki/IEEE_802.1X
http://www.networkworld.com/news/2010/0506whatisit.html
* http://www.networkworld.com/news/2010/0506whatisit.html
801.2X With A Certificate
 
===801.2X With A Certificate===
The wireless authentication was also tested with a certificate.  The activities included the following.
The wireless authentication was also tested with a certificate.  The activities included the following.
Downloading and installing TekCERT from http://www.tekradius.com/release/tekcert.zip.   
* Downloading and installing TekCERT from http://www.tekradius.com/release/tekcert.zip.   
Creating a self-signed certificate
* Creating a self-signed certificate
Exporting the certificate in .pfx format.  See http://www.yasinkaplan.com/tekcert.asp
* Exporting the certificate in .pfx format.  See http://www.yasinkaplan.com/tekcert.asp
Importing the certificate on the laptop
* Importing the certificate on the laptop
 
The configuration setting on the laptop was checking “Validate server certificate” in the “Protected EAP Properties” window.   
The configuration setting on the laptop was checking “Validate server certificate” in the “Protected EAP Properties” window.   
The User or the Group must be configured to use the certificate in the TekRADIUS server. The certificate is part of the group setting, below.  Alternatively, the setting could be a user configuration. The screen image is in the TekRADIUS configuration section.
The User or the Group must be configured to use the certificate in the TekRADIUS server. The certificate is part of the group setting, below.  Alternatively, the setting could be a user configuration. The screen image is in the TekRADIUS configuration section.
TekRADIUS References
 
http://tekradius.com/
====TekRADIUS References====
http://tekradius.com/support.html
* http://tekradius.com/
http://tekradius.com/Docs/Manual.pdf
* http://tekradius.com/support.html
http://www.yasinkaplan.com/tekcert.asp
* http://tekradius.com/Docs/Manual.pdf
Cisco Switch Configuration
* http://www.yasinkaplan.com/tekcert.asp
 
==Cisco Switch Configuration==
The configuration statements for the 3550 switch follow.  The authentication sections for VTY and console access are identical in the switch and the router.
The configuration statements for the 3550 switch follow.  The authentication sections for VTY and console access are identical in the switch and the router.
Authentication
 
===Authentication==
Authentication for the data ports, vty access, and the console port is enabled through the commands, below.  AAA is enabled.  Console and vty login is authenticated through radius.  When the radius server is not accessible, local user authentication is used.  The radius server uses ports 1812 and 1813 for authentication and accounting.  The dot1x command enables dot1x access control on the data ports.  
Authentication for the data ports, vty access, and the console port is enabled through the commands, below.  AAA is enabled.  Console and vty login is authenticated through radius.  When the radius server is not accessible, local user authentication is used.  The radius server uses ports 1812 and 1813 for authentication and accounting.  The dot1x command enables dot1x access control on the data ports.  
aaa new-model


aaa authentication login default group radius local
aaa new-model
aaa authentication dot1x default group radius
aaa authentication login default group radius local
aaa authentication dot1x default group radius
 
radius-server host 172.16.106.11 auth-port 1812 acct-port 1813 key WinRadius
dot1x system-auth-control


radius-server host 172.16.106.11 auth-port 1812 acct-port 1813 key WinRadius
===Data Ports===
The configuration for the data ports is below. The global configuration command enables BPDUguard on all portfast ports. If a switch is connected to any port, the port will change to an error disabled stated.  This also prevents loops if a user connects two switch ports together.


dot1x system-auth-control
Data Ports
The configuration for the data ports is below.  The global configuration command enables BPDUguard on all portfast ports.  If a switch is connected to any port, the port will change to an error disabled stated.  This also prevents loops if a user connects two switch ports together.
The switchport commands set the port to access mode and define the data and voice vlans.
The switchport commands set the port to access mode and define the data and voice vlans.
Three dot1x commands are shown.  When the configuration command, “dot1x port-control auto”, was added, the IOS automatically added the other commands.  The phrase, “dot1x pae authenticator”, assures authentication in legacy configurations.  The “dot1x violation-mode protect” command means that connecting systems that fail authentication will be quietly blocked.  The word, protect, means that no log messages nor SNMP traps will be generated.
Three dot1x commands are shown.  When the configuration command, “dot1x port-control auto”, was added, the IOS automatically added the other commands.  The phrase, “dot1x pae authenticator”, assures authentication in legacy configurations.  The “dot1x violation-mode protect” command means that connecting systems that fail authentication will be quietly blocked.  The word, protect, means that no log messages nor SNMP traps will be generated.
One option that is not shown is a “guest” vlan.  The interface configuration statement, “dot1x guest-vlan 20”, would assign the device to vlan 20.  This vlan is assumed to have limited access.
One option that is not shown is a “guest” vlan.  The interface configuration statement, “dot1x guest-vlan 20”, would assign the device to vlan 20.  This vlan is assumed to have limited access.
In production, Quality of Service should be added to the configuration to support IP Phones.  QoS is not shown since the project focus was 802.1X authentication.
In production, Quality of Service should be added to the configuration to support IP Phones.  QoS is not shown since the project focus was 802.1X authentication.
spanning-tree portfast bpduguard default


interface FastEthernet0/1
spanning-tree portfast bpduguard default
description End user data ports
switchport access vlan 110
interface FastEthernet0/1
switchport voice vlan 111
  description End user data ports
switchport mode access
  switchport access vlan 110
  switchport voice vlan 111
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode protect
  spanning-tree portfast
!


dot1x pae authenticator
===References===
dot1x port-control auto
* http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html#wp1049580
dot1x violation-mode protect
* http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swstpopt.html
* http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_8021x.html
* http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6807/prod_white_paper0900aecd805a5ab5.html


spanning-tree portfast
===Wireless Access Point Port===


!
References
• http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html#wp1049580
• http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swstpopt.html
• http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_8021x.html
• http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6807/prod_white_paper0900aecd805a5ab5.html
Wireless Access Point Port
The switch port that is assigned to the wireless access point is does not require 802.1X authentication.  The “force-authorized” phrase means that the port is enabled.  
The switch port that is assigned to the wireless access point is does not require 802.1X authentication.  The “force-authorized” phrase means that the port is enabled.  
interface FastEthernet0/23
description Wireless Access Point
switchport access vlan 110
switchport mode access
spanning-tree portfast


  dot1x port-control force-authorized
  interface FastEthernet0/23
  description Wireless Access Point
  switchport access vlan 110
  switchport mode access
  spanning-tree portfast
  dot1x port-control force-authorized


The port can be constrained to support ONLY the wireless access point through the following statements.  The default mode is to shut down the port if a violation occurs.
The port can be constrained to support ONLY the wireless access point through the following statements.  The default mode is to shut down the port if a violation occurs.
switchport port-security maximum 1
 
switchport port-security mac-address sticky
switchport port-security maximum 1
Radius Server Port
switchport port-security mac-address sticky
 
===Radius Server Port===
The switch port that is assigned to the radius server does not require 802.1X authentication.  The “force-authorized” phrase means that the port is enabled.  Switchport port-security statements could be used to permit only the radius server at this port.
The switch port that is assigned to the radius server does not require 802.1X authentication.  The “force-authorized” phrase means that the port is enabled.  Switchport port-security statements could be used to permit only the radius server at this port.
interface FastEthernet0/22
description Radius Server
switchport access vlan 110
switchport mode access
spanning-tree portfast


  dot1x port-control force-authorized
  interface FastEthernet0/22
  description Radius Server
  switchport access vlan 110
  switchport mode access
  spanning-tree portfast
  dot1x port-control force-authorized


Logging
===Logging===
Logging on the switch and router was configured as follows. The “localtime” phrase configures the logging service and console to display a clock and calendar  based time rather than the delta time since the device boot.  The devices are set to US/Central timezone.
Logging on the switch and router was configured as follows. The “localtime” phrase configures the logging service and console to display a clock and calendar  based time rather than the delta time since the device boot.  The devices are set to US/Central timezone.
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime


logging trap 6
service timestamps debug datetime msec localtime
logging 172.16.106.11
service timestamps log datetime msec localtime
logging trap 6
logging 172.16.106.11


Routing
===Routing===
The 3550 switch was configured with a layer 3 connection to the router.  The command, “no switchport”, set port 24 to communicate on layer 3.  All data ports were configured as EIGRP passive ports to suppress EIGRP routing traffic on the ports.
The 3550 switch was configured with a layer 3 connection to the router.  The command, “no switchport”, set port 24 to communicate on layer 3.  All data ports were configured as EIGRP passive ports to suppress EIGRP routing traffic on the ports.
ip routing
interface FastEthernet0/24
description Connect to 2811 Router port fa 0/1
no switchport
ip address 172.16.252.2 255.255.255.252


ip routing
interface FastEthernet0/24
  description Connect to 2811 Router port fa 0/1
  no switchport
  ip address 172.16.252.2 255.255.255.252
router eigrp 10
  passive-interface default
  no passive-interface FastEthernet0/24
  network 172.16.0.0
  network 172.17.0.0
!
ip classless


router eigrp 10
===VTY Access===
passive-interface default
no passive-interface FastEthernet0/24
network 172.16.0.0
network 172.17.0.0
!
ip classless
VTY Access
Vty  and console access uses radius authentication since the “… login default …” configuration is defined.  Local authentication, which checks user names that are defined on the switch or router, is used only if the radius server does not respond.  The transport command mandates that only ssh is used for remote access.
Vty  and console access uses radius authentication since the “… login default …” configuration is defined.  Local authentication, which checks user names that are defined on the switch or router, is used only if the radius server does not respond.  The transport command mandates that only ssh is used for remote access.
aaa authentication login default group radius local


line con 0
  aaa authentication login default group radius local
  session-timeout 30
exec-timeout 20 0
logging synchronous
   
   
line vty 0 4
line con 0
session-timeout 30  
  session-timeout 30
logging synchronous
  exec-timeout 20 0
transport input ssh
  logging synchronous
 
line vty 0 4
  session-timeout 30  
  logging synchronous
  transport input ssh
 
==Router Configuration==


Router Configuration
===Router – Switch Link===
Router – Switch Link
The router and switch were connected at Layer 3.  Router interface FastEtherenet 0/1 was connected to switch port FastEthernet 0/24.  Both devices used EIGRP.
The router and switch were connected at Layer 3.  Router interface FastEtherenet 0/1 was connected to switch port FastEthernet 0/24.  Both devices used EIGRP.
interface FastEthernet0/1
description Connect to 3560 POE Switch (usually port fa 0/24)
ip address 172.16.252.1 255.255.255.252
duplex auto
speed auto
!


router eigrp 10
interface FastEthernet0/1
network 172.16.0.0
  description Connect to 3560 POE Switch (usually port fa 0/24)
network 172.17.0.0
  ip address 172.16.252.1 255.255.255.252
no auto-summary
  duplex auto
!
  speed auto
DHCP
!
router eigrp 10
  network 172.16.0.0
  network 172.17.0.0
  no auto-summary
!
 
===DHCP===
The router, switch, and wireless controller used  the following VLANs and addresses.
The router, switch, and wireless controller used  the following VLANs and addresses.
VLAN Network Description
 
100 172.16.100.0/24 WLC Access Point Management
{|
110 172.16.106.0/24 Wired Data  
|-
111 172.17.106.0/24 Wired Voice  
!| VLAN || Network || Description
112 172.16.116.0/124 Wireless Data  
|-
113 172.17.116.0/24 Wireless Voice
| 100 || 172.16.100.0/24 || WLC Access Point Management
114 172.16.126.0/24 Wireless Guest
|-
172.16.252.0/30 Router/Switch L3 network
| 110 || 172.16.106.0/24 || Wired Data  
172.16.1.1/24 WLC Interface  
|-
172.16.106.11 Radius Server
| 111 || 172.17.106.0/24 || Wired Voice  
Syslog Server
|-
| 112 || 172.16.116.0/24 || Wireless Data  
|-
| 113 || 172.17.116.0/24 || Wireless Voice
|-
| 114 || 172.16.126.0/24 || Wireless Guest
|-
|  || 172.16.252.0/30 || Router/Switch L3 network
|-
|  || 172.16.1.1/24 || WLC Interface  
|-
|  || 172.16.106.11 || Radius Server
|}
 
===Syslog Server===


The router was configured as the DHCP server for both the wired and wireless VLANs.  One benefit is that all DHCP definitions are one location.  The configuration also emulates a production environment that uses a centralized DHCP server.
The router was configured as the DHCP server for both the wired and wireless VLANs.  One benefit is that all DHCP definitions are one location.  The configuration also emulates a production environment that uses a centralized DHCP server.
The “excluded-address” statements identify addresses that are not part of DHCP and may be statically assigned.  One example is the switch’s management address, 172.16.106.5. The “AP Management” pool is not really used, but it sets aside addresses for use in the WLAN controller.  
The “excluded-address” statements identify addresses that are not part of DHCP and may be statically assigned.  One example is the switch’s management address, 172.16.106.5. The “AP Management” pool is not really used, but it sets aside addresses for use in the WLAN controller.  
Option 43 is used by the wireless access point to find the controller. The first 16 bits, f104, is a fixed value the must be part of the definition.  The last 32 bits, ac10.6464, is the hexadecimal representation of the address, 172.16.100.100.  This is the address in the wireless controller that responds to the access points.  Option 60 limits option 43 to DHCP clients that are the Cisco 1242 access points.  Option 150 in the Voice VLAN is the address of the TFTP server for CME or CUCM.
Option 43 is used by the wireless access point to find the controller. The first 16 bits, f104, is a fixed value the must be part of the definition.  The last 32 bits, ac10.6464, is the hexadecimal representation of the address, 172.16.100.100.  This is the address in the wireless controller that responds to the access points.  Option 60 limits option 43 to DHCP clients that are the Cisco 1242 access points.  Option 150 in the Voice VLAN is the address of the TFTP server for CME or CUCM.
The last DHCP pool shows how to assign a specific address to a device.  The DHCP pool is just one address, which is specified by the “host” statement.  The client identifier phrase specifies the MAC address where with theprepended byte, 0x01.  This is the same format as displayed for the command, “show ip dhcp binding”.  172.16.106.11 is the laptop that is running the Radius server.
The last DHCP pool shows how to assign a specific address to a device.  The DHCP pool is just one address, which is specified by the “host” statement.  The client identifier phrase specifies the MAC address where with theprepended byte, 0x01.  This is the same format as displayed for the command, “show ip dhcp binding”.  172.16.106.11 is the laptop that is running the Radius server.


ip dhcp excluded-address 172.16.106.1 172.16.106.10
ip dhcp excluded-address 172.16.106.1 172.16.106.10
ip dhcp excluded-address 172.17.106.1 172.17.106.10
ip dhcp excluded-address 172.17.106.1 172.17.106.10
ip dhcp excluded-address 172.17.116.1 172.17.116.10
ip dhcp excluded-address 172.17.116.1 172.17.116.10
ip dhcp excluded-address 172.16.116.1 172.16.116.10
ip dhcp excluded-address 172.16.116.1 172.16.116.10
ip dhcp excluded-address 172.16.126.1 172.16.126.10
ip dhcp excluded-address 172.16.126.1 172.16.126.10
!
!
ip dhcp pool Data-Devices
ip dhcp pool Data-Devices
  network 172.16.106.0 255.255.255.0
    network 172.16.106.0 255.255.255.0
  default-router 172.16.106.1  
    default-router 172.16.106.1  
  option 43 hex f104.ac10.6464
    option 43 hex f104.ac10.6464
  option 60 ascii "Cisco AP c1242"
    option 60 ascii "Cisco AP c1242"
!
!
ip dhcp pool Voice-Devices
ip dhcp pool Voice-Devices
  network 172.17.106.0 255.255.255.0
    network 172.17.106.0 255.255.255.0
  default-router 172.17.106.1  
    default-router 172.17.106.1  
  option 150 ip 172.17.106.1
    option 150 ip 172.17.106.1
!
!
ip dhcp pool Wireless-Data
ip dhcp pool Wireless-Data
  network 172.16.116.0 255.255.255.0
    network 172.16.116.0 255.255.255.0
  default-router 172.16.116.1  
    default-router 172.16.116.1  
  lease 0 6
    lease 0 6
!
!
ip dhcp pool Wireless-Voice
ip dhcp pool Wireless-Voice
  network 172.17.116.0 255.255.255.0
    network 172.17.116.0 255.255.255.0
  default-router 172.17.116.1  
    default-router 172.17.116.1  
  lease 0 6
    lease 0 6
  option 150 ip 172.17.106.1
    option 150 ip 172.17.106.1
!
!
ip dhcp pool Wireless-Guest
ip dhcp pool Wireless-Guest
  network 172.16.126.0 255.255.255.0
    network 172.16.126.0 255.255.255.0
  default-router 172.16.126.1  
    default-router 172.16.126.1  
  lease 0 2
    lease 0 2
!
!
ip dhcp pool AP-Management
ip dhcp pool AP-Management
  network 172.16.100.0 255.255.255.0
    network 172.16.100.0 255.255.255.0
  default-router 172.16.100.1  
    default-router 172.16.100.1  
!
!
ip dhcp pool GMPlaptop
ip dhcp pool GMPlaptop
  host 172.16.106.11 255.255.255.0
    host 172.16.106.11 255.255.255.0
  client-identifier 0198.4be1.96f9.81
    client-identifier 0198.4be1.96f9.81
  client-name gmplaptop
    client-name gmplaptop
!
!
Time
 
===Time===
The router is set as the NTP master.  The following commands set the time zone and the NTP server.
The router is set as the NTP master.  The following commands set the time zone and the NTP server.
clock timezone CST -6
 
clock summer-time CDT recurring
clock timezone CST -6
ntp server 172.16.252.1
clock summer-time CDT recurring
Radius Server
ntp server 172.16.252.1
 
===Radius Server===
TekRADIUS LT is the radius server.  It was installed on Windows 7. The web site is http://www.tekradius.com.   
TekRADIUS LT is the radius server.  It was installed on Windows 7. The web site is http://www.tekradius.com.   
TekRADIUS User Management
 
====TekRADIUS User Management====
 
The following screen shows the user management interface.  The only user attribute that is defined is the password.  
The following screen shows the user management interface.  The only user attribute that is defined is the password.  
   
   
Line 307: Line 359:
Users may be associated with different groups to manage attributes and privileges.  The default group usually has no attributes.  Here the TLS certificate attribute is defined as part of using a certificate during Windows authentication.
Users may be associated with different groups to manage attributes and privileges.  The default group usually has no attributes.  Here the TLS certificate attribute is defined as part of using a certificate during Windows authentication.
   
   
Radius Clients
====Radius Clients====
The Client screen lists the 3 clients, which are the Wireless LAN Controller, the switch, and the router.  Here, the radius clients are explicitly listed.  The software has an option where any client that uses the pre-shared secret may connect to the radius server.
The Client screen lists the 3 clients, which are the Wireless LAN Controller, the switch, and the router.  Here, the radius clients are explicitly listed.  The software has an option where any client that uses the pre-shared secret may connect to the radius server.
   
   


Radius Server Parameters
====Radius Server Parameters====
The radius server configuration follows.  The most important parameters on this screen are the listening address, the automatic or manual start option, the logging level, and the authentication and accounting ports.  
The radius server configuration follows.  The most important parameters on this screen are the listening address, the automatic or manual start option, the logging level, and the authentication and accounting ports.  
   
   


Wireless Controller
==Wireless Controller==
Several entities are used when configuring a Wireless LAN Controller.   
Several entities are used when configuring a Wireless LAN Controller.   
Controller address.  An address must be assigned to the controller interface to allow CLI access and to serve as the default route for inter faces within the controller.  The address is defined as follows.
* Controller address.  An address must be assigned to the controller interface to allow CLI access and to serve as the default route for inter faces within the controller.  The address is defined as follows.
interface wlan-controller1/0
 
ip address 172.16.1.1 255.255.255.0
interface wlan-controller1/0
!
  ip address 172.16.1.1 255.255.255.0
WLAN.  A WLAN is defined for each SSID that is used by the access points.  For convenience, the WLAN name is the same as the SSID.  The WLAN is associated with a VLAN through the interface assignment.
!
Interfaces.  The interfaces connect the WLAN to and address and VLAN. An interface has a name, an IP address, and a VLAN number.  For convenience, the interface name is the same as the associated WLAN name.
 
Management Addresses. The WLAN controller has two management addresses.  The management address is the web server address.  The second address is the “AP Management” address.  The AP Management address is used by the access points and is the value used in DHCP option 43.
* WLAN.  A WLAN is defined for each SSID that is used by the access points.  For convenience, the WLAN name is the same as the SSID.  The WLAN is associated with a VLAN through the interface assignment.
* Interfaces.  The interfaces connect the WLAN to and address and VLAN. An interface has a name, an IP address, and a VLAN number.  For convenience, the interface name is the same as the associated WLAN name.
* Management Addresses. The WLAN controller has two management addresses.  The management address is the web server address.  The second address is the “AP Management” address.  The AP Management address is used by the access points and is the value used in DHCP option 43.
 
In the router, the Wireless LAN Controller interface is configured as follows.  
In the router, the Wireless LAN Controller interface is configured as follows.  
interface wlan-controller1/0
 
ip address 172.16.1.1 255.255.255.0
interface wlan-controller1/0
!
  ip address 172.16.1.1 255.255.255.0
interface wlan-controller1/0.100
!
encapsulation dot1Q 100
interface wlan-controller1/0.100
ip address 172.16.100.1 255.255.255.0
  encapsulation dot1Q 100  
!
  ip address 172.16.100.1 255.255.255.0
interface wlan-controller1/0.112
!
description Wireless Data
interface wlan-controller1/0.112
encapsulation dot1Q 112
  description Wireless Data
ip address 172.16.116.1 255.255.255.0
  encapsulation dot1Q 112
!
  ip address 172.16.116.1 255.255.255.0
interface wlan-controller1/0.113
!
description Wireless Voice
interface wlan-controller1/0.113
encapsulation dot1Q 113
  description Wireless Voice
ip address 172.17.116.1 255.255.255.0
  encapsulation dot1Q 113
!
  ip address 172.17.116.1 255.255.255.0
interface wlan-controller1/0.114
!
description Wireless-Guest
interface wlan-controller1/0.114
encapsulation dot1Q 114
  description Wireless-Guest
ip address 172.16.126.1 255.255.255.0
  encapsulation dot1Q 114
!
  ip address 172.16.126.1 255.255.255.0
WLC Summary Screen
!
The system status is visible on the Summary screen.  The information includes the number of access points and the number of clients per WLAN.
 
===WLC Summary Screen===
The system status is visible on the Summary screen.  The information includes the number of access points and the number  
   
   
WLAN Screen
===WLAN Screen===
The wireless LANs are defined in the WLAN screen.  The SSIDs are listed in the third column.  Three are being broadcast.  
The wireless LANs are defined in the WLAN screen.  The SSIDs are listed in the third column.  Three are being broadcast.  
   
   
WLAN Configuration and Encryption
===WLAN Configuration and Encryption===
One WLAN configuration screen follows.  The “Enabled” state shows that the WLAN is active in the access points.  The security policy is displayed here, but is defined in the “Security” tab.  The WLAN is connected to an IP address via the interface selection.  The SSID is being broadcast.   
One WLAN configuration screen follows.  The “Enabled” state shows that the WLAN is active in the access points.  The security policy is displayed here, but is defined in the “Security” tab.  The WLAN is connected to an IP address via the interface selection.  The SSID is being broadcast.   
   
   
WLAN Encryption
===WLAN Encryption===
The WPA2 encryption is defined.
The WPA2 encryption is defined.
   
   
WLAN Authentication
===WLAN Authentication===
Authentication is enabled for this WLAN and the radius server is specified for authorization and accounting.  Multiple servers may be defined.
Authentication is enabled for this WLAN and the radius server is specified for authorization and accounting.  Multiple servers may be defined.
   
   
Interfaces
===Interfaces===
The controller interfaces are defined in this screen.  Notice that the addresses are in the same network as the corresponding subinterface in the WLAN controller interface definition.
The controller interfaces are defined in this screen.  Notice that the addresses are in the same network as the corresponding subinterface in the WLAN controller interface definition.
   
   
Interface Details
===Interface Details===
The interface address is in the same subnet as the address that is defined in the router’s  wlan controller subinterface.  
The interface address is in the same subnet as the address that is defined in the router’s  wlan controller subinterface.  
   
   
Radius Server Definition
===Radius Server Definition===
The radius servers, port numbers, and shared secret are defined in this screen. The server information is used in the WLAN authentication screen.
The radius servers, port numbers, and shared secret are defined in this screen. The server information is used in the WLAN authentication screen.
   
   


   
   
Appendix
==Appendix==
Router Configuration
 
===Router Configuration===


Switch Configuration
===Switch Configuration===


Wireless LAN Controller Configuration
===Wireless LAN Controller Configuration===

Revision as of 21:14, 8 April 2012

802.1X Authentication for Wireless and Wired Connections

Description

The project demonstrates Radius authentication for three types of access.

  • VTY and Console access to Cisco IOS devices, specifically a 3550 switch
  • User authentication for access at wired ports
  • User authentication for wireless access

The project integrates the CCNA Wireless class with the CCNA Security class. The project also demonstrates that Cisco wireless could be configured for WPA-2 encryption with 802.1X authentication.

Participants:

  • Greg Polanski
  • Mark Benolken

802.1X Basics

802.1X authentication has 3 components.

  • Supplicant. The supplicant is the device that wants to attach to the WLAN or LAN. The phrase, supplicant, is also used to describe the software in the Windows laptop/desktop that provides authentication credentials.
  • Authenticator. Device that controls access to the network. The authenticator queries the supplicant for credentials and passes the credentials to the authentication server for verification. The switch is the authenticator for wired access points. The Wireless LAN Controller (WLC) is the authenticator for wireless access.
  • Authentication Server. The authentication server validates the credentials. The authentication server is TekRADIUS LT on a Windows 7 laptop.

The Windows supplicant interacts with the Radius server in two ways, with and without a certificate. The interaction is determined by the “Validate Server Certificate” setting in the “Protected EAP Properties” window.

  • Certificate. If the “Validate Server Certificate” setting is checked, the Windows supplicant uses a certificate as part of the credential exchange with the Radius Server. In a corporate environment, this certificate can be pushed to the corporate laptops. In this project, a self signed certificate was created on the radius server and was copied to the laptop.
  • No Certificate. If the “Validate Server Certificate” setting is clear, the Windows supplicant does not use the certificate as part of the credential interaction.

Demonstration

The demonstration consisted of the following activities.

  • Windows 7 connection to Wireless Data SSID with username and password authentication
  • Windows 7 connection to Wired Data VLAN with username and password authentication
  • Windows XP connection to Wireless Data SSID with username and password authentication
  • Windows XP connection to Wired Data VLAN with username and password authentication
  • Ssh connection to 3550 Switch with radius authentication

The Windows configuration for 802.1X authentication required the following activities.

  • Enabling authentication in the wireless network definition. Two options were explored.
    • Using a certificate between the laptop and the radius server
    • Not using a certificate between the laptop and the radius server
  • Enabling 802.1X authentication on the wired interface

Configuration

The projected used the following equipment.

  • Cisco 2811 Router with Wireless LAN Controller module
  • Cisco 3550 POE Switch with Layer 2 and Layer 3 capabilities
  • Cisco 1242 Wireless Access Point
  • Windows 7 and Windows XP laptops

The router hosted the wireless controller and provided DHCP services both to the wired and wireless VLANs. The router used EIGRP and connected to the switch via a layer 3 link (172.16.252.0/30). The 3550 switch provided power to the access point, access control on the wired ports, and relayed DHCP requests to the router.

Windows 7 Laptop

Wireless access has several selections for authentication and encryption Three examples are shown below. One goal of this project was to identify the end user differences when using alternate connection techniques.

  • Open. No Encryption, No Authentication
  • WPA2-PSK. Encryption, with authentication based upon a fixed password
  • WPA2-Enterprise. Encryption with authentication based upon credentials that are unique to the individual.

Open. Most public Wifi hotspots, such as hotspots at coffee shops and public libraries are open. At Inver Hills CC, the SSID, ihcc, is open. The laptop detects the SSID and the owner clicks “Connect”, and the laptop is on the network. The SafeConnect web page is accessible only after the wireless connection is complete. All wireless traffic is not encrypted and can be snooped by others within radio range.

WPA2-PSK. WPA2-PSK is common in the home environment. A pre-shared key is set in the laptop and the wireless access point. The laptop owner must define the wireless network and set the key. An example of the configuration screen follows.

WPA2-Enterprise. The WPA2-Enterprise uses authentication that is unique to the individual. In a corporate environment using Active Directory, the laptop and then the user authenticates to the wireless using AD credentials. The wireless controller checks the credentials via a Radius or TACACS+ server against AD. In a corporate environment, authentication can be seamless since the wireless configuration and authentication certificate can be pushed to the laptop when it is configured and the laptop caches the user’s AD credentials.

In an environment where the end user owns the laptop, the wireless network must be configured.

Wireless Network Configuration

When using encryption and authentication, the wireless network must be defined on the laptop. The following screen shots focus on authentication. The wireless network definition begins with “Set up a new connection or network” or “Manage wireless networks” on the “Network and Sharing Center” screen.

Define the SSID name, the security, the encryption, and whether the connection should be automatic. The SSID is “Data”.

Confirm the settings.

Select the “Security” tab to configure the authentication. Protected EAP (PEAP) is the correct setting. Click on “Settings” to reach the next screen.

The check box, “Validate server certificate”, affects how the laptop supplicant interacts with the Radius server. If the box is checked, the laptop must have a certificate from the Radius server. The authentication credentials can be read only by the known Radius server. If the laptop authenticates, the radius server is trusted, which means the access point and network are trusted. No one can setup an “evil twin” access point that looks like a production AP and fool the laptop. The cost is that the certificate must be installed on the laptop.

The example shows the configuration where a certificate is not needed, since the checkbox is clear. Clear the Fast Reconnect check box unless you are using cached credentials. Click “Configure …” to go to the next screen.

The following popup determines if a authentication popup appears. If the windows login on the laptop uses the same name and password that is needed for wireless authentication, check the box. The credentials will be passed to the access point automatically. In a corporate environment with AD, the box is checked so authentication to the wireless is automatic.

If the checkbox is clear, the following popup will appear so the user can enter the userame and password directly.

References

Wired Configuration

802.1X authentication for a wired connection begins with starting the service on the system. The services screen is reached through the command, “services.msc”. Here the command is typed in the Run window.


When the Services window appears, select the “Standard” tab (at the bottom). Scroll down and select “Wired AutoConfig”. Right click to “Start” or select “Start” from the “Action” menu.

The authentication properties may be edited only after the “Wired Auto Config” service is running. The administration sequence, “Control Panel”, “Network and Internet”, “Network Connections”, leads to the following screen. Select”Local Area Connection”.

In the “Local Area Connection Status” screen, select “Properties”.


Select the Authentication tab at the top of the “Local Area Connection Properties” window. If the “Wired Auto Config” service is not running, the “Authentication” tab is not visible


Enable the 802.1X authentication.

The “Protected EAP Properties” window is the same as the configuration for the wireless access. The certificate is not needed, since the checkbox is clear. Clear the Fast Reconnect check box unless you are using cached credentials. Click “Configure …” to go to the next screen.


The following popup determines if a authentication popup appears. If the windows login on the laptop uses the same name and password that is needed for wireless authentication, check the box. The credentials will be passed to the access point automatically. In a corporate environment with AD, the box is checked so authentication to the wireless is automatic.


Windows XP Laptop

The wireless and wired configuration steps for a Windows XP laptop is similar to the effort for Windows 7. Windows XP caches the credentials in the registry. The activity to clear the credentials is documented in http://support.microsoft.com/kb/823731

References

801.2X With A Certificate

The wireless authentication was also tested with a certificate. The activities included the following.

The configuration setting on the laptop was checking “Validate server certificate” in the “Protected EAP Properties” window.

The User or the Group must be configured to use the certificate in the TekRADIUS server. The certificate is part of the group setting, below. Alternatively, the setting could be a user configuration. The screen image is in the TekRADIUS configuration section.

TekRADIUS References

Cisco Switch Configuration

The configuration statements for the 3550 switch follow. The authentication sections for VTY and console access are identical in the switch and the router.

=Authentication

Authentication for the data ports, vty access, and the console port is enabled through the commands, below. AAA is enabled. Console and vty login is authenticated through radius. When the radius server is not accessible, local user authentication is used. The radius server uses ports 1812 and 1813 for authentication and accounting. The dot1x command enables dot1x access control on the data ports. 

aaa new-model

aaa authentication login default group radius local
aaa authentication dot1x default group radius
 
radius-server host 172.16.106.11 auth-port 1812 acct-port 1813 key WinRadius

dot1x system-auth-control

Data Ports

The configuration for the data ports is below. The global configuration command enables BPDUguard on all portfast ports. If a switch is connected to any port, the port will change to an error disabled stated. This also prevents loops if a user connects two switch ports together.

The switchport commands set the port to access mode and define the data and voice vlans. Three dot1x commands are shown. When the configuration command, “dot1x port-control auto”, was added, the IOS automatically added the other commands. The phrase, “dot1x pae authenticator”, assures authentication in legacy configurations. The “dot1x violation-mode protect” command means that connecting systems that fail authentication will be quietly blocked. The word, protect, means that no log messages nor SNMP traps will be generated. One option that is not shown is a “guest” vlan. The interface configuration statement, “dot1x guest-vlan 20”, would assign the device to vlan 20. This vlan is assumed to have limited access.

In production, Quality of Service should be added to the configuration to support IP Phones. QoS is not shown since the project focus was 802.1X authentication. 

spanning-tree portfast bpduguard default

interface FastEthernet0/1
 description End user data ports
 switchport access vlan 110
 switchport voice vlan 111
 switchport mode access

 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect

 spanning-tree portfast

!

References

Wireless Access Point Port

The switch port that is assigned to the wireless access point is does not require 802.1X authentication. The “force-authorized” phrase means that the port is enabled. 

interface FastEthernet0/23
 description Wireless Access Point
 switchport access vlan 110
 switchport mode access
 spanning-tree portfast

 dot1x port-control force-authorized

The port can be constrained to support ONLY the wireless access point through the following statements. The default mode is to shut down the port if a violation occurs. 

switchport port-security maximum 1
switchport port-security mac-address sticky

Radius Server Port

The switch port that is assigned to the radius server does not require 802.1X authentication. The “force-authorized” phrase means that the port is enabled. Switchport port-security statements could be used to permit only the radius server at this port. 

interface FastEthernet0/22
 description Radius Server
 switchport access vlan 110
 switchport mode access
 spanning-tree portfast

 dot1x port-control force-authorized

Logging

Logging on the switch and router was configured as follows. The “localtime” phrase configures the logging service and console to display a clock and calendar based time rather than the delta time since the device boot. The devices are set to US/Central timezone. 

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime

logging trap 6
logging 172.16.106.11

Routing

The 3550 switch was configured with a layer 3 connection to the router. The command, “no switchport”, set port 24 to communicate on layer 3. All data ports were configured as EIGRP passive ports to suppress EIGRP routing traffic on the ports. 

ip routing

interface FastEthernet0/24
 description Connect to 2811 Router port fa 0/1
 no switchport
 ip address 172.16.252.2 255.255.255.252


router eigrp 10
 passive-interface default
 no passive-interface FastEthernet0/24
 network 172.16.0.0
 network 172.17.0.0
!
ip classless

VTY Access

Vty and console access uses radius authentication since the “… login default …” configuration is defined. Local authentication, which checks user names that are defined on the switch or router, is used only if the radius server does not respond. The transport command mandates that only ssh is used for remote access. 

aaa authentication login default group radius local

line con 0
 session-timeout 30 
 exec-timeout 20 0
 logging synchronous
 
line vty 0 4
 session-timeout 30 
 logging synchronous
 transport input ssh

Router Configuration

Router – Switch Link

The router and switch were connected at Layer 3. Router interface FastEtherenet 0/1 was connected to switch port FastEthernet 0/24. Both devices used EIGRP. 

interface FastEthernet0/1
 description Connect to 3560 POE Switch (usually port fa 0/24)
 ip address 172.16.252.1 255.255.255.252
 duplex auto
 speed auto
!

router eigrp 10
 network 172.16.0.0
 network 172.17.0.0
 no auto-summary
!

DHCP

The router, switch, and wireless controller used the following VLANs and addresses.

VLAN Network Description
100 172.16.100.0/24 WLC Access Point Management
110 172.16.106.0/24 Wired Data
111 172.17.106.0/24 Wired Voice
112 172.16.116.0/24 Wireless Data
113 172.17.116.0/24 Wireless Voice
114 172.16.126.0/24 Wireless Guest
172.16.252.0/30 Router/Switch L3 network
172.16.1.1/24 WLC Interface
172.16.106.11 Radius Server

Syslog Server

The router was configured as the DHCP server for both the wired and wireless VLANs. One benefit is that all DHCP definitions are one location. The configuration also emulates a production environment that uses a centralized DHCP server.

The “excluded-address” statements identify addresses that are not part of DHCP and may be statically assigned. One example is the switch’s management address, 172.16.106.5. The “AP Management” pool is not really used, but it sets aside addresses for use in the WLAN controller.

Option 43 is used by the wireless access point to find the controller. The first 16 bits, f104, is a fixed value the must be part of the definition. The last 32 bits, ac10.6464, is the hexadecimal representation of the address, 172.16.100.100. This is the address in the wireless controller that responds to the access points. Option 60 limits option 43 to DHCP clients that are the Cisco 1242 access points. Option 150 in the Voice VLAN is the address of the TFTP server for CME or CUCM.

The last DHCP pool shows how to assign a specific address to a device. The DHCP pool is just one address, which is specified by the “host” statement. The client identifier phrase specifies the MAC address where with theprepended byte, 0x01. This is the same format as displayed for the command, “show ip dhcp binding”. 172.16.106.11 is the laptop that is running the Radius server. 

ip dhcp excluded-address 172.16.106.1 172.16.106.10
ip dhcp excluded-address 172.17.106.1 172.17.106.10
ip dhcp excluded-address 172.17.116.1 172.17.116.10
ip dhcp excluded-address 172.16.116.1 172.16.116.10
ip dhcp excluded-address 172.16.126.1 172.16.126.10
!
ip dhcp pool Data-Devices
   network 172.16.106.0 255.255.255.0
   default-router 172.16.106.1 
   option 43 hex f104.ac10.6464
   option 60 ascii "Cisco AP c1242"
!
ip dhcp pool Voice-Devices
   network 172.17.106.0 255.255.255.0
   default-router 172.17.106.1 
   option 150 ip 172.17.106.1
!
ip dhcp pool Wireless-Data
   network 172.16.116.0 255.255.255.0
   default-router 172.16.116.1 
   lease 0 6
!
ip dhcp pool Wireless-Voice
   network 172.17.116.0 255.255.255.0
   default-router 172.17.116.1 
   lease 0 6
   option 150 ip 172.17.106.1
!
ip dhcp pool Wireless-Guest
   network 172.16.126.0 255.255.255.0
   default-router 172.16.126.1 
   lease 0 2
!
ip dhcp pool AP-Management
   network 172.16.100.0 255.255.255.0
   default-router 172.16.100.1 
!
ip dhcp pool GMPlaptop
   host 172.16.106.11 255.255.255.0
   client-identifier 0198.4be1.96f9.81
   client-name gmplaptop
!

Time

The router is set as the NTP master. The following commands set the time zone and the NTP server. 

clock timezone CST -6
clock summer-time CDT recurring
ntp server 172.16.252.1

Radius Server

TekRADIUS LT is the radius server. It was installed on Windows 7. The web site is http://www.tekradius.com.

TekRADIUS User Management

The following screen shows the user management interface. The only user attribute that is defined is the password.


Users may be associated with different groups to manage attributes and privileges. The default group usually has no attributes. Here the TLS certificate attribute is defined as part of using a certificate during Windows authentication.

Radius Clients

The Client screen lists the 3 clients, which are the Wireless LAN Controller, the switch, and the router. Here, the radius clients are explicitly listed. The software has an option where any client that uses the pre-shared secret may connect to the radius server.


Radius Server Parameters

The radius server configuration follows. The most important parameters on this screen are the listening address, the automatic or manual start option, the logging level, and the authentication and accounting ports.


Wireless Controller

Several entities are used when configuring a Wireless LAN Controller.

  • Controller address. An address must be assigned to the controller interface to allow CLI access and to serve as the default route for inter faces within the controller. The address is defined as follows.
interface wlan-controller1/0
 ip address 172.16.1.1 255.255.255.0
!
  • WLAN. A WLAN is defined for each SSID that is used by the access points. For convenience, the WLAN name is the same as the SSID. The WLAN is associated with a VLAN through the interface assignment.
  • Interfaces. The interfaces connect the WLAN to and address and VLAN. An interface has a name, an IP address, and a VLAN number. For convenience, the interface name is the same as the associated WLAN name.
  • Management Addresses. The WLAN controller has two management addresses. The management address is the web server address. The second address is the “AP Management” address. The AP Management address is used by the access points and is the value used in DHCP option 43.

In the router, the Wireless LAN Controller interface is configured as follows. 

interface wlan-controller1/0
 ip address 172.16.1.1 255.255.255.0
!
interface wlan-controller1/0.100
 encapsulation dot1Q 100 
 ip address 172.16.100.1 255.255.255.0
!
interface wlan-controller1/0.112
 description Wireless Data
 encapsulation dot1Q 112
 ip address 172.16.116.1 255.255.255.0
!
interface wlan-controller1/0.113
 description Wireless Voice
 encapsulation dot1Q 113
 ip address 172.17.116.1 255.255.255.0
!
interface wlan-controller1/0.114
 description Wireless-Guest
 encapsulation dot1Q 114
 ip address 172.16.126.1 255.255.255.0
!

WLC Summary Screen

The system status is visible on the Summary screen. The information includes the number of access points and the number

WLAN Screen

The wireless LANs are defined in the WLAN screen. The SSIDs are listed in the third column. Three are being broadcast.

WLAN Configuration and Encryption

One WLAN configuration screen follows. The “Enabled” state shows that the WLAN is active in the access points. The security policy is displayed here, but is defined in the “Security” tab. The WLAN is connected to an IP address via the interface selection. The SSID is being broadcast.

WLAN Encryption

The WPA2 encryption is defined.

WLAN Authentication

Authentication is enabled for this WLAN and the radius server is specified for authorization and accounting. Multiple servers may be defined.

Interfaces

The controller interfaces are defined in this screen. Notice that the addresses are in the same network as the corresponding subinterface in the WLAN controller interface definition.

Interface Details

The interface address is in the same subnet as the address that is defined in the router’s wlan controller subinterface.

Radius Server Definition

The radius servers, port numbers, and shared secret are defined in this screen. The server information is used in the WLAN authentication screen.


Appendix

Router Configuration

Switch Configuration

Wireless LAN Controller Configuration

Retrieved from "https://wiki.ihitc.net/mediawiki/index.php?title=802.1X_Authentication_for_Wireless_and_Wired_Connections&oldid=5438"