CCNP SWITCH and GNS3 - part 2.1 The theory behind AAA and Dot1x authentication

When I started to learn authentication  methods using AAA and port-based  authentication using dot1x   for CCNP Switch exam I was very excited abut this stuff.

I would like to talk about AAA, dot1x and how the GNS3 can help us to practise it  but first we  should spend some time reading the theory behind this cool stuff:


What does shortcut AAA stands for?

- Authentication - Verify user identity

-  Authorization- Specifies permitted task for user

- Accounting - Provides billing, auditing and monitoring


I can read it about AAA in Cisco Press book but can you give me some examples of AAA?

Imagine a guy that comes every morning to his work. The guards keep watching the main entrance and guy is is not allowed to pass until he proves  his identity.  Each workers holds his/her own identity card and t is necessary  to show it to the guards.  If identity card  is valid and photo from card matches the guy's  appearance  he is allowed to cross the gate.

We call this process authentication - someone must prove that he really is  a person for him/her  he acts.


And what about authorization?

After the guy  is authenticated  by entrance guards  he comes in front of block A buildings. The door is locked and  guy must use  his card to unlock the door.  He can unlock  block A door  but he can't unlock the block B or C  door because his card was programmed only for block A entrance.

This is what we call authorization - different users have different level of rights.


How is accounting deployed in this example?

When guy opens the block A door, the card ID and time is sent and recorded to server.  The entry is written  in to log and it can be exactly determined who and when unlock the block A door.

This is an accounting - it tells us when particular action begun (ended) and  status of this action.

Another example of accounting is your phone bill with detailed list of your calls.


OK,  I got the point but how is it related with  CCNP SWITCH?

CCNP Switch exam handles authentication only. You have already learnt how to setup authentication locally  on switch/router during your  CCNA studies.  For CCNP level you need to learn how to configure switch for establishing communication with external  authentication server (Radius) for authentication purpose.  The  Radius server is AAA server and can authenticate users that are trying connect to switch .  It can also authenticate computers trying to get access to the network. It is called  dot1x or port-based authentication.


What role does switch and Radius server plays in this process?

Radius server is the real boss in this game. It tells to switch if user or PC access  is granted (Access accept) or not (Access rejected).  In the example with and guy and guards , the guards  represent the authenticator  (switch)  and Radius (authentication server) at the same time. They check guy's card and make authentication decision. Guy represents  a client which requires access to the network or to switch but access is granted only if authentication is successful.


What is the benefit of AAA server?

Imagine a network with hundred network devices and situation when it is necessary  to change username and password on these devices. How long does it take? If it was AAA server implemented in your network you would need to change credentials only  in Radius server configuration.


Ok, I know the theory behind dot1x  and AAA and it is time to tell us your secret. So the question is how we can practise this stuff in GNS3?

As I said I was excited with aaa authentication and dot1x. So it was almost logical that I setup Free Radius server and let the Radius authenticate login access to switches in my home LAB.  Unfortunately I was too busy to configure dot1x port-based authentication because except of dot1x server Radius configuration you also need to configure dot1x client  on PC.

I configured dot1x on switches but it was like using car simulator instead of driving real car. No real result of implemented dot1x except of ports that keep staying  in unauthorized state because of lack dot1x authentication server.


Still read nothing about GNS3, once again how we can practise it in GNS3?

I installed Free Radius 1.1.3 on LiSA (Linux Multilayer Switch)  Qemu image and configured it for user authentication. I also configured EAP-MD5 dot1x authentication on Radius/LiSA image.

I installed wpa_supplicant on Linux Microcore 2.11-5 as dot1x client and configured it with EAP-MD5  authentication method.

Now you can practice AAA authentication and dot1x port-based authentication for CCNP SWITCH exam in GNS3 and see a real impact of this Layer 2 security on to emulated network infrastructure..


Next: CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration


3 thoughts on “CCNP SWITCH and GNS3 - part 2.1 The theory behind AAA and Dot1x authentication

Leave a comment

Your email address will not be published. Required fields are marked *