Scenario
You start your new carrier as a network professional in company which is responsible for prepare, plan, design and implementation phase of AAA user authentication and 8021.x port-based authentication in customer network.
Because you are new in the team you need to prove your boss that you has sufficient knowledge to participate in Implementation phase of this project. For this purpose a testing network is created in a company LAB for you and you are telling configure all the steps listed in tasklist.
Note: Radius_LiSA server is already configured for user and port-based authentication. Only network settings for connecting Radius_LiSA to Access switch are required to configure. 8021x client is installed on PC1 and PC2.
Network Topology Diagram
Tasks List
1) PC1 and PC2 switch ports are placed in access VLAN 2 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.
2) Switch ports connecting Radius server and Management PC are configured for Management VLAN 5 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.
3) VLAN2 interface on Access switch is configured with last usable IP address from 192.168.2.0/26 subnet.
4) PC1 and PC2 should have automatically assigned IP address from 192.168.2.0/26 subnet.
5) The first usable IP address address from subnet 192.168.5.0/28 is assigned to Radius-LiSA vlan 5 interface. The last usable IP address from 192.168.5.0/28 is assigned to VLAN5 switch interface. Default route must be configured on Linux Radius_LiSA server to reach subnets outside of VLAN 5 Radius_Lisa interface. Username/password for Radius_LiSA is root/password.
6) The Management PC should be configured with statically assigned IP address 192.168.5.2/28. Username/password is root/root.
7) PCs in Access VLAN can reach each other and they can reach PCs in other VLANs except PCs in Management VLAN.
8) Switch must be configured for remote access and use secure vty session. Remote switch administration must be allowed only from Management PC. Local username/password is backup/backup. Password to privileged exec mode is backup.
9) Users on PC1 and PC2 connecting to Access switch's ports must be authenticated before they are given access to the network.Management PC and Radius_LiSa server are allowed to access to the network without authentication.
The Radius server key is cisco123 and it listen on port 1812 for authentication sessions.
10) Login to the switch console or via vty should be authenticated external to switch. Username/password for Level 1 access is admin/cisco. Password to privileged exec mode is cisco.
If Radius server is not reachable local user credentials should be used for backup access to Access switch. Similarly local password to privileged exec mode may only be used in the case of Radius server inaccessibility.
Solution
1. Access switch configuration
Router(config)#hostname Access
Access(config)#vlan 2
Access(config-vlan)#name Access
Access(config-vlan)#vlan 5
Access(config-vlan)#name Management
Access(config-vlan)#exitAccess(config)#interface range fastEthernet 1/1- 2
Access(config-if-range)#switchport mode accees
Access(config-if-range)#switchport access vlan 2
Access(config-if-range)#spanning-tree portfast
Access(config)#do write
2. Access switch configuration
Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#switchport mode access
Access(config-if-range)#switchport access vlan 5
Access(config-if-range)#spanning-tree portfast
Access(config-if-range)#do write
3. Access switch configuration
Access(config)#interface vlan 2
Access(config-if)#ip address 192.168.2.62 255.255.255.192
Access(config-if)#no shutdown
4. Access switch configuration
Access(config)#ip dhcp excluded-address 192.168.2.62
Access(config)#ip dhcp pool Lab
Access(dhcp-config)#network 192.168.2.0 /26
Access(dhcp-config)#default-router 192.168.2.62
Access(dhcp-config)#exit
5. Radius_LiSA and Access switch configuration
Radius_LiSA:
[root@lisa ~]# swcli
lisa#configure terminal
lisa(config)#hostname Radius_LiSA
Radius_LiSA(config)#vlan 5
Radius_LiSA(config-vlan)#name Management
Radius_LiSA(config-vlan)#exitRadius_LiSA(config)#interface ethernet 0
Radius_LiSA(config-if)#switchport mode access
Radius_LiSA(config-if)#switchport access vlan 5
Radius_LiSA(config-if)#exitRadius_LiSA(config)#interface vlan 5
Radius_LiSA(config-if)#ip address 192.168.5.1 255.255.255.240
Radius_LiSA(config-if)#no shutdown
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#exit
Radius_LiSA#write memory
Radius_LiSA#exit[root@lisa ~]# route add default gw 192.168.5.14
Access switch:
Access(config)#interface vlan 5
Access(config-if)#ip address 192.168.5.14 255.255.255.240
Access(config-if)#no shutdown
Access(config-if)#do write
6. Management PC (Microcore Linux) configuration
tc@box:~$ su
rroot@box:~# echo "ifconfig eth0 192.168.5.2 netmask 255.255.255.240" >> /opt/bootlocal.sh
root@box:~# echo "route add default gw 192.168.5.14" >> /opt/bootlocal.sh
root@box:~# /opt/bootlocal.sh
root@box:~# /usr/bin/filetool.sh backup
7. Access switch configuration
Access(config)#ip access-list extended 100
Access(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.63 192.168.5.0 0.0.0.15
ccess(config-ext-nacl)#permit ip any any
Access(config-ext-nacl)#exitAccess(config)#interface vlan 2
Access(config-if)#ip access-group 100 in
Access(config-if)#exit
8. Access switch configuration
Access(config)#enable secret backup
Access(config)#username backup secret backup
Access(config)#ip ssh version 2
Access(config)#ip domain-name company.lab
Access(config)#line vty 0 15
Access(config-line)#transport input ssh
Access(config-line)#login local
Access(config-line)#exit
Access(config)#crypto key generate rsaAccess(config)#ip access-list standard 10
Access(config-std-nacl)#permit host 192.168.5.2
Access(config-std-nacl)#exitccess(config)#line vty 0 15
Access(config-line)#access-class 10 in
Access(config-line)#exit
Access(config)#do write
9. Access switch configuration
Access(config)#aaa new-model
Access(config)#aaa authentication dot1x default group radius
Access(config)#radius-server host 192.168.5.1 auth-port 1812 key cisco123
Access(config)#dot1x system-auth-controlAccess(config)#interface range fastEthernet 1/1 -2
Access(config-if-range)#dot1x port-control auto
Access(config-if-range)#exitAccess(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#dot1x port-control force-authorized
Access(config-if-range)#exit
Access(config)#do write
10. Access switch configuration
Access(config)#aaa authentication login default group radius local
Access(config)#line console 0
Access(config-line)#login authentication default
Access(config-line)#exitAccess(config)#line vty 0 15
Access(config-line)#login authentication default
Access(config-line)#exitAccess(config)#aaa authentication enable default group radius enable
Access(config)#do write
Netwrok Topology Diagram - Solved
802.1x verification
Notice is a captured traffic between Radius_LiSA and Access switch after Microcore boot. You can see a radius protocol exchange between switch (sends Access-request to Radius ) and Radius_LiSA server (reply with Access-accept back to switch).
http://www.4shared.com/file/U7fE-AZO/captured-traffic-Radius-Access.html
Output from debug dot1x events enabled on Access switch.
http://www.4shared.com/file/Vh-sTKGe/debug_switch.html
Snapshots of captured Wireshark traffic and PC2 console.
http://www.4shared.com/document/E07MdKf6/pictures-Microcore_Wireshark.html
Used software and devices
- GNS3 0.7.3
- router 3725 with NM-16SW module (EtherSwitch in GNS3 0.7.3), IOS c3725-adventerprisek9-mz.124-15.T14.bin
- Linux Microcore 2.11.5 with WPA supplicant
- Qemu image CentOS 5.4 with LiSA /Linux Multilayer Switch/
The installation and configuration of WPA_supplicant on Microcore Linux and FreeRadius on LiSA Qemu image is explained here.
Configuring User AAA
Thank you for your write about Lisa and GNS3. I am studying for CCNP Switch and trying to do your AAA config. I managed to mount your radius image on to GNS3.
The question I have is what device have you used for "Access"? Is it the MLswitch in the GNS3 or a router with "no ip routing" ?
The reason i'm asking is I can not create vlans in GNS3 ML switch as you have shown but I can do it with "vlan-database" commands. (the old way?)
I an using GNS3 0.7.3 on Winvista.
Your advice is much appriciated.
Lal
Hi Lal,
I used router 3725 occupied with NM-16SW network module as access switch. Some newer trained Internetwork Operation Systems (IOS marked with letter "T") allow you to create vlans from global configuration mode. I used "IOS c3725-adventerprisek9-mz.124-15.T14.bin" for Access switch. But don't worry if your IOS doesn't support this feature - you can always create VLAN from enable mode.
Bye!
Thank you very much for your reply.
Lal
Please share the file of topology GNS3...
thank you
Unfortunately, I don't have it. But I will keep in mind to share a topology next time.
nice post..
what does the command "dot1x port-control force-authorized" accomplish???
thanks
Hi,
if you had tried to google it you would have got about 159 000 results. I am pretty sure that you will find right answer soon ;-)
i just need your 159 character answer for it :-)
ok thanks i had searched google.
hey bro can u plz list the tools that u use for switching i mean which ios and how
Hi. Great lab, man! I have a question about microcore image - what is the root password? I'm trying "root", but it keeps telling me that it's wrong.
Never mind - it was just me typing su instead of sudo su)
Cool
Hi Friends, I am using the same IOS 3725 as mentioned as above, but unable to create L3 Vlans. The router is not supporting..I tried multiple options and IOS in GNS3, but still no luck...Can any one help me out in this.
Thanks.
Thank you very much Brezular. Your articles are very good.
I have been working on your 802.1x lab this last weekend and I enjoyed myself as a boy.
All my work has been published in my web page.
Thank you! ;)
Link for capturing traffic is unavailable