PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:802.1x:802.1x

Cisco: IEEE802.1X Authentication

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.1 Device security
          • 5.1.a Implement and troubleshoot IOS AAA using local database
          • 5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS
          • 5.1.d [i] AAA with TACACS+ and RADIUS
        • 5.2 Network security
          • 5.2.d Describe 802.1x
          • 5.2.d [i] 802.1x, EAP, RADIUS
    • Lab v5.0
      • N/A

FreeRADIUS 3.0 Configuration

sudo apt install freeradius

ufw

sudo systemctl restart freeradius
sudo systemctl status freeradius
sudo systemctl enable freeradius
sudo ufw allow proto udp from 10.0.8.0/22 to any port 1812
sudo ufw allow proto udp from 10.0.8.0/22 to any port 1813
--- /root/orig/etc/freeradius/3.0/clients.conf  2019-04-17 21:59:55.000000000 +0900
+++ /etc/freeradius/3.0/clients.conf    2019-07-28 12:08:31.461628942 +0900
@@ -238,10 +238,10 @@
 #  When a client request comes in, the BEST match is chosen.
 #  i.e. The entry from the smallest possible network.
 #
-#client private-network-1 {
-#      ipaddr          = 192.0.2.0/24
-#      secret          = testing123-1
-#}
+client private-network-1 {
+       ipaddr          = 10.0.8.0/22
+       secret          = pg1xhimitsu
+}
 
 #client private-network-2 {
 #      ipaddr          = 198.51.100.0/24
--- /root/orig/etc/freeradius/3.0/users 2019-04-17 21:59:55.000000000 +0900
+++ /etc/freeradius/3.0/users   2019-07-28 12:07:47.757380601 +0900
@@ -84,8 +84,8 @@
 # The canonical testing user which is in most of the
 # examples.
 #
-#bob   Cleartext-Password := "hello"
-#      Reply-Message := "Hello, %{User-Name}"
+wnoguchi       Cleartext-Password := "kotoneaishiteru"
+       Reply-Message := "Hello, %{User-Name}"
 #
 
 #
--- /root/orig/etc/freeradius/3.0/sites-available/default       2019-04-17 21:59:55.000000000 +0900
+++ /etc/freeradius/3.0/sites-available/default 2019-07-28 12:02:17.683199685 +0900
@@ -314,7 +314,7 @@
        #
        #  If you want to have a log of authentication requests,
        #  un-comment the following line.
-#      auth_log
+       auth_log
 
        #
        #  The chap module will set 'Auth-Type := CHAP' if we are

Configuration & Verification

Catalyst 2960 IOS version is 15.0(2)SE8.

SW10 Configuration

R1 Configuration

802.1X Supplicant Configuration Netplan version(FAILED NOT VERIFIED)

not worked…

802.1X Supplicant Configuration NetworkManager version(SUCCESS)

supplicant configuration is OK.

SW10 Console Output

Supplicant connected port must be issued following command… PAE(port access entity)

interface range FastEthernet 0/1 - 6
 dot1x pae authenticator

MAB(MAC Authentication Bypass)

Catalyst 2960 IOS version is 15.0(2)SE8.

FreeRADIUSとWLCを利用したMAC認証 - devwiki

SW10 Configuration

4c52.6226.e0b5
/etc/freeradius/3.0/users
4c526226e0b5    Cleartext-Password := "4c526226e0b5"
        Reply-Message := "Hello, %{User-Name}"

SW10 Console Log

/var/log/freeradius/radacct/10.0.8.210/auth-detail-20190804
Sun Aug  4 13:52:03 2019
        Packet-Type = Access-Request
        User-Name = "4c526226e0b5"
        Service-Type = Call-Check
        Framed-MTU = 1500
        Called-Station-Id = "00-22-BD-89-21-81"
        Calling-Station-Id = "4C-52-62-26-E0-B5"
        Message-Authenticator = 0x1ae4fc14464aaf893049ca6d17c93618
        NAS-Port-Type = Ethernet
        NAS-Port = 50001
        NAS-Port-Id = "FastEthernet0/1"
        NAS-IP-Address = 10.0.8.210
        Event-Timestamp = "Aug  4 2019 13:52:03 JST"
        Timestamp = 1564894323
 
 
 
Sun Aug  4 15:17:32 2019
        Packet-Type = Access-Request
        User-Name = "4c526226e0b5"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-22-BD-89-21-81"
        Calling-Station-Id = "4C-52-62-26-E0-B5"
        EAP-Message = 0x0202001604107bf4b548201de2430136da6a1ca933b3
        Message-Authenticator = 0xf8e024d001e51508a8f6fb43cd2d3b3b
        NAS-Port-Type = Ethernet
        NAS-Port = 50001
        NAS-Port-Id = "FastEthernet0/1"
        State = 0xad62a524ad60a10c88a89bcb660b0230
        NAS-IP-Address = 10.0.8.210
        Event-Timestamp = "Aug  4 2019 15:17:32 JST"
        Timestamp = 1564899452

R1 Configuration

R2 Configuration

host-mode

single host mode switch port turned err-disable state when multiple host detected. so first authenticated host cannnot communicate via this port.

SW10 Console

summary

  1. single-host: 1 host only can be authenticated, if more another host connected, port will moved err-disable state, and all host cannnot communicate via the port
  2. multi-host: 1 host authenticated, then other host can communicate
  3. multi-domain: 1 data, 1 IP Phone can be authenticated, otherwise host connected, then the 802.1X enabled port enter err-disabled state
  4. multi-auth: Data N supplicant authenticatable, 1 IP Phone authenticatable, all host needs 802.1X authentication.

Reauthenticate

regular reauthenticate

SW10 Configuration

/etc/freeradius/3.0/users
wnoguchi        Cleartext-Password := "kotoneaishiteru"
        Reply-Message := "Hello, %{User-Name}"

SW10 Console Output

display filter

not (stp or dtp  or ssdp or loop or cdp or mdns or arp or bjnp or icmpv6)

following command not implemented in Catalyst 2960.

dot1x reauthenticate interface FastEthernet 0/1

Catalyst 3750 also not implemented.

SW1#dot1x ?
  test  Test 802.1x capabilities

SW1#sh env | i adv
% Incomplete command before pipe.

SW1#sh ver | i ip 
System image file is "flash:/c3750-ipservicesk9-mz.150-2.SE4/c3750-ipservicesk9-mz.150-2.SE4.bin"

following command must be acceptable.

clear dot1x interface FastEthernet 0/1

retry interval.

Catalyst 2960, 2960-S, 2960-C, and 2960-Plus Switches Software Configuration Guide, Cisco IOS Release 15.0(2)SE and Later - Configuring IEEE 802.1x Port-Based Authentication [Cisco Catalyst 2960 Series Switches] - Cisco

configure terminal
!
interface FastEthernet 0/1
 authentication timer inactivity 60
exit
!
end

this command not take effect immediately. plug out cable and plug in.

configure terminal
!
interface FastEthernet 0/1
 dot1x timeout tx-period 10
exit
!
end
configure terminal
!
interface FastEthernet 0/1
 dot1x max-reauth-req 10
exit
!
end
configure terminal
!
interface FastEthernet 0/1
 dot1x max-req 3
exit
!
end

Cisco IOS Security Command Reference: Commands D to L - dnsix-dmdp retries through dynamic [Support & Downloads] - Cisco

MAB is prevent dot1x max-req behavior?

dot1x max-req i can't understand…..

configure terminal
!
interface FastEthernet 0/1
 authentication timer restart 600
 dot1x max-req 3
exit
!
end
SW10#sh authentication sessions interface FastEthernet 0/1
            Interface:  FastEthernet0/1
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Authz Failed
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0008D20000003300D30047
      Acct Session ID:  0x00000036
               Handle:  0xF1000034

Runnable methods list:
       Method   State
       dot1x    Failed over

SW10#sh dot1x inter                                       
SW10#sh dot1x interface F  
SW10#sh dot1x interface Fa
SW10#sh dot1x interface FastEthernet 0/1 detail

Dot1x Info for FastEthernet0/1
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 2

Dot1x Authenticator Client List Empty

?????

SW10 Console Log

References

tech/network/cisco/802.1x/802.1x.txt · Last modified: 2019/08/13 11:43 by wnoguchi