Scribd
Upload
95 views12 pages

Dot1x LAB

Uploaded by

mbaye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
95 views12 pages

Dot1x LAB

Uploaded by

mbaye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Dot1x LAB:

Cisco ISE Primary IP Address 192.168.100.210


Cisco ISE Secondary IP Address 192.168.100.220
AD, DNS and CA Server IP Address 192.168.100.230
Domain Name: test.local
Test User/Group E1/Employee
Test VLAN VLAN 20
VLAN Subnet 192.168.20.0/24
VLAN 20 Gateway 192.168.20.1
Authenticator Switch SW2
Authentication Switch MGMT IP 192.168.100.254
SW2 Dot1x interface Ethernet 0/1

1|Page
Dot1X Configuration
SW2(config)#aaa new-model
SW2(config)#dot1x system-auth-control
SW2(config)#radius server ISE1
SW2(config-radius-server)# address ipv4 192.168.100.210 auth-port 1812 acct-port 1813
SW2(config-radius-server)#key Test123
SW2(config-radius-server)#radius server ISE2
SW2(config-radius-server)# address ipv4 192.168.100.220 auth-port 1812 acct-port 1813
SW2(config-radius-server)#key Test123
SW2(config-radius-server)#radius-server attribute 6 on-for-login-auth
SW2(config)#radius-server attribute 8 include-in-access-req
SW2(config)#radius-server attribute 25 access-request include
SW2(config)#radius-server vsa send accounting
SW2(config)#radius-server vsa send authentication
SW2(config)#radius-server dead-criteria time 30 tries 3
SW2(config)#radius-server timeout 2
SW2(config)#aaa group server radius ISE-GROUP
SW2(config-sg-radius)#server name ISE1
SW2(config-sg-radius)#server name ISE2
SW2(config-sg-radius)#ip radius source-interface Vlan100
SW2(config-sg-radius)#aaa authentication dot1x default group ISE-GROUP
SW2(config)#aaa authorization network default group ISE-GROUP
SW2(config)#aaa accounting update periodic 5
SW2(config)#aaa accounting dot1x default start-stop group ISE-GROUP
SW2(config)#aaa server radius dynamic-author
SW2(config-locsvr-da-radius)#client 192.168.100.210 server-key Test123
SW2(config-locsvr-da-radius)#client 192.168.100.220 server-key Test123
SW2(config-locsvr-da-radius)#snmp-server community Test123 RO
SW2(config)#interface Ethernet0/1
SW2(config-if)#description win10 node
SW2(config-if)#switchport access vlan 20
SW2(config-if)#switchport mode access
SW2(config-if)#authentication host-mode multi-auth
SW2(config-if)#authentication port-control auto
SW2(config-if)#mab
SW2(config-if)#dot1x pae authenticator
SW2(config-if)#dot1x timeout tx-period 10
SW2(config-if)#spanning-tree portfast edge
SW2(config-if)#authentication event fail action next-method
SW2(config-if)#authentication order dot1x mab

2|Page
Add Network Device:
Go to Administration > Network Resources > Network Devices to add the Device (SW2).

Click on Add button to add Network Device like Router and Switch.

Configure Name of device, IP address configured. Scroll down to set Authentication settings.

3|Page
Scroll down to set Authentication settings. Set Password configured as Server key on Switch
device “Test123” and save settings.

Scroll down to check SNMP Settings and set SNMP RO Community string settings, Click Submit.

4|Page
802.1x Authentication Polices:
For network access policies, choose Work Centers > Network Access > Policy Sets. Change the
default Identity store to Test_Identity_Stores which we created earlier.

If the authentication fail the user will be Rejected, if user not found the user will be rejected,
while if the process of Dot1x fail the user will be dropped.

5|Page
802.1x Authorization Polices:
Navigate to Policy>Policy Sets > click on Arrow Icon >

Navigate to Authorization Policy section click on round circle Plus icon to add new Authorization
Policy, name the authorization policy in this case Dot1x-Authorization. In Conditions click on
Plus icon to set the conditions for authorization policy.

In Conditions Studio > Editor click to add an attribute choose ad.test.local

6|Page
In Editor > Equals > test.local/users/Domain Computers also, create new same policy for
test.local/users/Domain Users

Finally, two Authorization Polices are created for Dot1x Authorization.

In Profile choose PermitAccess from dropdown and click Save.

7|Page
Dot1x Client Group Policy Creation:
Let’s create group policy to push down dot1x settings to clients. Open Group Policy
Management. Highlight the domain and right-click on Default Domain Policy and click Edit.

Navigate to Computer Configuration>Windows Settings>Security Settings>Wired Network and


right-click on it. Choose Create a New Wired Network Policy. This will open the New Wired
Network Policy Properties box. Name your policy whatever you'd like it to be and make sure the
Use Windows Wired Auto Config service for clients box is checked.

8|Page
On the Security tab, ensure that the Enable use of IEEE 802.1X authentication for network
access box is checked and from the Select a network authentication method drop-down,
choose Microsoft: Protected EAP (PEAP). Click on the Properties button to the right of it.

In the Properties box that pops up, uncheck the boxes next to Verify the server’s identity by
validating the certificate. Under the Select Authentication Method drop-down, this is where we
will select our inner method. Choose Secured password (EAP-MSCHAP v2) options.

9|Page
Click on the Configure... box next to it. EAP MSCHAPv2 box should pop up. Check the boxes and
click OK to save your settings. Do the same for the rest of the boxes you have open.

Wired Autoconfig service is not enabled by default on Windows machines. In order to get the
dot1x wired settings to work, this should be enabled so let’s create a group policy. Navigate to
Computer Configuration>Policies>Windows Settings>Security Settings>System Settings>Wired
Autoconfig. Check box for Define this policy setting and choose the radio button for Automatic.

10 | P a g e
Verification:
Navigate to Operations > RADIUS Livelog.

Verification commands on Cisco Switch


SW2# show dot1x interface ethernet 0/1
SW2# show dot1x all
SW2# Show authentication sessions
SW2# Show authentication sessions interface ethernet 0/1 details

11 | P a g e
12 | P a g e

You might also like