CCNP SWITCH and GNS3 – part 2.3 LAB - Configuring User AAA authentication and 802.1X port-based authentication

Scenario

You start your new carrier as a network professional in company which is responsible for prepare, plan, design and implementation phase of AAA user authentication and 8021.x port-based authentication in customer network.

Because you are new in the team you need to prove your boss that you has sufficient knowledge to participate in Implementation phase of this project. For this purpose a testing  network  is created  in a company LAB for you and you are telling configure all the steps listed in tasklist.

Note: Radius_LiSA server is already configured for user and port-based authentication. Only  network settings  for connecting Radius_LiSA to  Access switch are required to configure.  8021x client is installed on PC1 and PC2.

Network Topology Diagram

Tasks List

1) PC1  and PC2 switch ports are placed in access VLAN 2 and should be  placed  in forwarding state immediately when the ports become physically active.  DTP must be disabled on both switchports.

2) Switch ports connecting Radius server and Management PC  are configured for Management VLAN 5 and should be  placed  in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.

3) VLAN2 interface on Access switch is configured with last usable IP address from 192.168.2.0/26  subnet.

4) PC1 and PC2 should have  automatically assigned IP address  from 192.168.2.0/26 subnet.

5) The  first usable IP address address from subnet 192.168.5.0/28  is assigned to Radius-LiSA vlan 5 interface.  The last usable IP address from 192.168.5.0/28 is assigned to VLAN5 switch interface.  Default route must be configured on Linux Radius_LiSA server to reach subnets outside of VLAN 5 Radius_Lisa interface. Username/password for Radius_LiSA  is root/password.

6) The Management PC should be configured with statically assigned  IP address 192.168.5.2/28. Username/password is root/root.

7) PCs in Access VLAN can reach each other and they can reach PCs in other VLANs except PCs in Management VLAN.

8) Switch must be configured for remote access and use secure vty session. Remote switch administration must be allowed only from Management PC. Local username/password is backup/backup. Password to privileged exec mode is backup.

9) Users on PC1 and PC2  connecting to Access switch's ports must be authenticated  before they are given access  to the network.Management PC and Radius_LiSa server are allowed to access to the network without  authentication.

The Radius server key is cisco123 and  it listen on port 1812 for authentication sessions.

10) Login to the switch console or via vty should be authenticated external to switch.  Username/password for Level 1 access is admin/cisco.  Password to privileged exec mode  is cisco.

If  Radius server is not reachable local user credentials should be used for backup access to Access switch. Similarly local password to privileged exec mode may only be used in the  case of Radius server inaccessibility.

Solution

1. Access switch configuration

Router(config)#hostname Access
Access(config)#vlan 2
Access(config-vlan)#name Access
Access(config-vlan)#vlan 5
Access(config-vlan)#name Management
Access(config-vlan)#exit

Access(config)#interface range fastEthernet 1/1- 2
Access(config-if-range)#switchport mode accees
Access(config-if-range)#switchport access vlan 2
Access(config-if-range)#spanning-tree portfast
Access(config)#do write

2. Access switch configuration

Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#switchport mode access
Access(config-if-range)#switchport access vlan 5
Access(config-if-range)#spanning-tree portfast
Access(config-if-range)#do write

3. Access switch configuration

Access(config)#interface vlan 2
Access(config-if)#ip address 192.168.2.62 255.255.255.192
Access(config-if)#no shutdown

4. Access switch configuration

Access(config)#ip dhcp excluded-address 192.168.2.62
Access(config)#ip dhcp pool Lab
Access(dhcp-config)#network 192.168.2.0 /26
Access(dhcp-config)#default-router 192.168.2.62
Access(dhcp-config)#exit

5. Radius_LiSA and  Access switch configuration

Radius_LiSA:

[root@lisa ~]# swcli
lisa#configure terminal
lisa(config)#hostname Radius_LiSA
Radius_LiSA(config)#vlan 5
Radius_LiSA(config-vlan)#name Management
Radius_LiSA(config-vlan)#exit

Radius_LiSA(config)#interface ethernet 0
Radius_LiSA(config-if)#switchport mode access
Radius_LiSA(config-if)#switchport access vlan 5
Radius_LiSA(config-if)#exit

Radius_LiSA(config)#interface vlan 5
Radius_LiSA(config-if)#ip address 192.168.5.1 255.255.255.240
Radius_LiSA(config-if)#no shutdown
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#exit
Radius_LiSA#write memory
Radius_LiSA#exit

[root@lisa ~]# route add default gw 192.168.5.14

Access switch:

Access(config)#interface vlan 5
Access(config-if)#ip address 192.168.5.14 255.255.255.240
Access(config-if)#no shutdown
Access(config-if)#do write

6. Management PC (Microcore Linux) configuration

tc@box:~$ su
rroot@box:~# echo "ifconfig eth0 192.168.5.2 netmask 255.255.255.240" >> /opt/bootlocal.sh
root@box:~# echo "route add default gw 192.168.5.14" >> /opt/bootlocal.sh
root@box:~# /opt/bootlocal.sh
root@box:~# /usr/bin/filetool.sh backup

7. Access switch configuration

Access(config)#ip access-list extended 100
Access(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.63 192.168.5.0 0.0.0.15
ccess(config-ext-nacl)#permit ip any any
Access(config-ext-nacl)#exit

Access(config)#interface vlan 2
Access(config-if)#ip access-group 100 in
Access(config-if)#exit

8. Access switch configuration

Access(config)#enable secret backup
Access(config)#username backup secret backup
Access(config)#ip ssh version 2
Access(config)#ip domain-name company.lab
Access(config)#line vty 0 15
Access(config-line)#transport input ssh
Access(config-line)#login local
Access(config-line)#exit
Access(config)#crypto key generate rsa

Access(config)#ip access-list standard 10
Access(config-std-nacl)#permit host 192.168.5.2
Access(config-std-nacl)#exit

ccess(config)#line vty 0 15
Access(config-line)#access-class 10 in
Access(config-line)#exit
Access(config)#do write

9. Access switch configuration

Access(config)#aaa new-model
Access(config)#aaa authentication dot1x default group radius
Access(config)#radius-server host 192.168.5.1 auth-port 1812 key cisco123
Access(config)#dot1x system-auth-control

Access(config)#interface range fastEthernet 1/1 -2
Access(config-if-range)#dot1x port-control auto
Access(config-if-range)#exit

Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#dot1x port-control force-authorized
Access(config-if-range)#exit
Access(config)#do write

10. Access switch configuration

Access(config)#aaa authentication login default group radius local

Access(config)#line console 0
Access(config-line)#login authentication default
Access(config-line)#exit

Access(config)#line vty 0 15
Access(config-line)#login authentication default
Access(config-line)#exit

Access(config)#aaa authentication enable default group radius enable

Access(config)#do write

Netwrok Topology Diagram - Solved

802.1x verification

Notice is a captured traffic between Radius_LiSA and Access switch after  Microcore boot.  You can see a radius protocol exchange between switch  (sends Access-request to Radius )  and Radius_LiSA server (reply with Access-accept back to switch).

http://www.4shared.com/file/U7fE-AZO/captured-traffic-Radius-Access.html

Output from debug dot1x events enabled on Access switch.

http://www.4shared.com/file/Vh-sTKGe/debug_switch.html

Snapshots of captured Wireshark traffic and PC2 console.

http://www.4shared.com/document/E07MdKf6/pictures-Microcore_Wireshark.html

Used software and devices

  • GNS3 0.7.3
  • router 3725 with NM-16SW module (EtherSwitch in GNS3 0.7.3), IOS c3725-adventerprisek9-mz.124-15.T14.bin
  • Linux Microcore 2.11.5 with WPA supplicant
  • Qemu image CentOS 5.4 with LiSA /Linux Multilayer Switch/

The installation and configuration of WPA_supplicant on Microcore Linux and FreeRadius on LiSA Qemu image is explained here.

root@box:~# /usr/bin/filetool.sh backup

14 thoughts on “CCNP SWITCH and GNS3 – part 2.3 LAB - Configuring User AAA authentication and 802.1X port-based authentication

  1. Configuring User AAA
    Thank you for your write about Lisa and GNS3. I am studying for CCNP Switch and trying to do your AAA config. I managed to mount your radius image on to GNS3.

    The question I have is what device have you used for "Access"? Is it the MLswitch in the GNS3 or a router with "no ip routing" ?

    The reason i'm asking is I can not create vlans in GNS3 ML switch as you have shown but I can do it with "vlan-database" commands. (the old way?)

    I an using GNS3 0.7.3 on Winvista.

    Your advice is much appriciated.
    Lal

    • Hi Lal,
      I used router 3725 occupied with NM-16SW network module as access switch. Some newer trained Internetwork Operation Systems (IOS marked with letter "T") allow you to create vlans from global configuration mode. I used "IOS c3725-adventerprisek9-mz.124-15.T14.bin" for Access switch. But don't worry if your IOS doesn't support this feature - you can always create VLAN from enable mode.
      Bye!

  2. Hi. Great lab, man! I have a question about microcore image - what is the root password? I'm trying "root", but it keeps telling me that it's wrong.

  3. Cool

    Hi Friends, I am using the same IOS 3725 as mentioned as above, but unable to create L3 Vlans. The router is not supporting..I tried multiple options and IOS in GNS3, but still no luck...Can any one help me out in this.

    Thanks.

  4. Thank you very much Brezular. Your articles are very good.
    I have been working on your 802.1x lab this last weekend and I enjoyed myself as a boy.
    All my work has been published in my web page.

Leave a comment

Your email address will not be published. Required fields are marked *