Access and Identity Management (AIM) is a critical component of network security, particularly for large enterprises that have multiple locations, thousands of users, and numerous devices. The purpose of AIM is to provide a centralized point of control for managing user access to network resources. This is typically done through a combination of authentication and authorization mechanisms, such as 802.1X and MAB, which are designed to prevent unauthorized access and protect sensitive data.
Cisco is a leading vendor in network security, offering a range of switches and software solutions to help organizations manage their network resources. One of the key advantages of using a Cisco switch with ISE is the ability to keep a common access port configuration across the network, regardless of the location, switch type, or users connected. This means that administrators can easily manage access policies for all devices and users from a single, centralized location, reducing the risk of errors and ensuring consistent security across the network.
To configure the switch to act as a radius client and unify ports, use the following commands:
aaa new-model
aaa authentication dot1x default group radius local
aaa authorization network default group radius
aaa accounting network ISE start-stop group radius
ip radius source-interface Vlan10
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 2
radius-server host 10.254.4.22 key Cisco123
radius-server host 10.254.4.23 key Cisco123
radius-server deadtime 5
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
authentication event server dead action reinitialize vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
endThe above configuration enables 802.1X and MAB type access, including wired Guest Portal Authentication. Let’s break down each command:
aaa new-model: This command enables the AAA (Authentication, Authorization, and Accounting) feature on the switch.aaa authentication dot1x default group radius local: This command sets the default authentication method to be 802.1X and specifies that the switch should use both the local database and RADIUS servers for authentication.aaa authorization network default group radius: This command sets the default authorization method to be network-based and specifies that the switch should use RADIUS servers for authorization.aaa accounting network ISE start-stop group radius: This command sets the accounting method to be network-based and specifies that the switch should use RADIUS servers for accounting. Thestart-stopargument indicates that the switch should send accounting messages when a session starts and stops.ip radius source-interface Vlan10: This command specifies the source interface for RADIUS packets as VLAN 10.radius-server attribute 6 on-for-login-auth: This command tells the RADIUS server to send the Tunnel-Private-Group-ID attribute in the Access-Accept message.radius-server attribute 8 include-in-access-req: This command tells the RADIUS server to send the Tunnel-Private-Group-Id attribute in the Access-Request message.radius-server attribute 25 access-request include: This command tells the RADIUS server to include the Class attribute in the Access-Request message.radius-server dead-criteria time 5 tries 2: This command specifies the criteria for determining when a RADIUS server is dead. In this case, it considers the server dead if it does not respond after 5 seconds and 2 tries.radius-server host 10.254.4.22 key Cisco123: This command adds a RADIUS server to the configuration. Thehostargument specifies the IP address of the server, and thekeyargument specifies the shared secret that is used to authenticate the switch with the server
Furthermore, the “radius-server vsa send accounting” command enables the RADIUS server to receive accounting data, while “radius-server vsa send authentication” enables the RADIUS server to receive authentication data. The “dot1x system-auth-control” command allows the switch to use 802.1X authentication for all the ports that are configured for authentication.
Moving on, the configuration of the interface requires specific commands to be inputted. Firstly, the “interface” command is used to enter the interface configuration mode, followed by the specific interface that needs to be configured. For instance, “interface FastEthernet0/1” configures FastEthernet port 1.
To enable access to the VLAN, the “switchport access vlan” command is used to assign the VLAN ID to the switch port. In this case, the VLAN ID is set to 10. The “switchport mode access” command configures the port as an access port.
The “authentication event server dead action reinitialize vlan 10” command specifies that when the authentication server is not responding, the port should reinitialize and remain in VLAN 10. On the other hand, the “authentication event server alive action reinitialize” command reinitializes the port when the authentication server becomes responsive again.
The “authentication host-mode multi-auth” command enables multiple hosts to be authenticated through the port. The “authentication port-control auto” command allows the port to control the user authentication status automatically.
In addition, “mab” enables the use of MAC Authentication Bypass in case of 802.1X failure. The “dot1x pae authenticator” command enables the port access entity to act as an authenticator. The “dot1x timeout tx-period” command specifies the time period for retransmitting EAPOL messages.
Finally, the “spanning-tree portfast” command is used to enable PortFast on the port, which allows the port to enter the forwarding state immediately after the link is up, without waiting for the standard listening and learning states.
Overall, these commands enable the switch to act as a RADIUS client, allowing for a centralized access policy management system, while also providing access to the VLAN through 802.1X and MAB authentication methods.
External references:
- Cisco (2021). Configuring RADIUS. Available at: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/19181-Radius-Config.html
- Cisco (2021). Configuring 802.1X Port-Based Authentication. Available at: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/sw8021x.pdf