Cisco 802.1x tests

Introduction

This sections contains results from some test with 802.1x on Cisco switches and FreeRadius.

Setup on an access point on port 2/22

Lets say there is an access point on port 22, first set it to static and assign a trunk with the appropriate vlans:

set port membership 2/22 static
Port 2/22 vlan assignment set to static.
Spantree port fast start option set to default for ports 2/22.

set trunk 2/22 on
clear trunk 2/22
Port(s) 2/22 trunk mode set to auto.
Port(s) 2/22 trunk type set to dot1q.

sw0503> (enable) set trunk 2/22 11-12,15
Vlan(s) 11-12,15 already allowed on the trunk
Please use the 'clear trunk' command to remove vlans from allowed list.

Setting up 802.1x on port 0/2

logging 192.168.245.40
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.245.40 auth-port 1812 acct-port 1813 key 7 141E1C040D14
radius-server retransmit 3

# a port with static Vlans:
interface FastEthernet0/2
switchport access vlan 15
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

# dynamic vlans: vlan is returned by the radius server
interface FastEthernet0/2
switchport access
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

## Option: reauthenticate every two hours
dot1x timeout reauth-period 7200
dot1x reauthentication

## Other options
#dot1x default
#dot1x guest-vlan 524
#dot1x auth-fail vlan 522

##Enabling MAC-auth-bypass in switches that allow this option
#dot1x mac-auth-bypass

##Timing options specially for MAC-auth-bypass
#dot1x max-reauth-req 3 #Number of EAP requests sent to the client before trying MAC-auth-bypass
#dot1x timeout quiet-period 5 #Number of seconds to retry auth after a failed auth
#dot1x tx-period 5 #Number of seconds to wait for an answer after an EAP request has been sent to the client

##aaa authorization network default group NAC

testing

#sh dot1x

Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1

#sh dot1x interface fastEthernet 0/2

Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
ReAuthPeriod = 3600 Seconds (Locally Configured)
ReAuthAction = Reauthenticate
TimeToNextReauth = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3

debug dot1x ?
all All Dot1x debugging messages turned on
errors Error codes
events Events
packets Packets
registry Registries
state-machine State machine
undebug all

#debug dot1x errors
Dot1x Errors debugging is on

References

http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configur...
http://wiki.freeradius.org/Rlm_perl
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg...

Mac bypass authentication: (note not all IOS switches have this..)
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura...

Notes

Note: For FreeRadius assigning VLANs dynamically, do a users file with:
> DEFAULT Auth-Type == MS-CHAP or
> NAS-IP-Address==x.y.z.w, NAS-Port = 50001
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = VLAN_number
>
> DEFAULT Auth-Type := Reject
>
> You need to keep this file for every vlan you want to return and the
> request attributes you want to check.
> In fact, the script I have does exactly this. It outputs just those
> values at the end of the authentification process (post_auth), and
> then the switch assigns the client the vlan that VMPS has returned.
> I think it is easier than maintaining the users file by ourselves

0008.7446.2aa5

------------------------------
/opt/nac/bin/rad2vmps

$request{server_ip}='freenac'
in the post_auth function

Then modify radiusd.conf accordingly
// Radiusd.conf in the modules section add
verify_mac {
module = "/opt/nac/bin/rad2vmps"
}
//Authorize section
authorize {
verify_mac
eap
}
// Add a post-auth section
post-auth {
verify_mac
}

Setting up the nas-port attribute
-----------------------------------------
conf t
radius-server attribute nas-port format X
where X can be

a Format is type, channel or port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)

Recommended for FreeNAC: a (default)

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_...

Sending vendor specific attributes
------------------------------------------
conf t
radius-server vsa send authentication
end