topic Re: 802.1x port authentication using Microsoft NPS in Network Access Control

802.1x port authentication using Microsoft NPS

edcrawford — Tue, 02 Aug 2022 20:04:27 GMT

I have a PKI environment and NPS servers. We issuer certificates to machines and they use these certificates to authenticate to the Always on VPN. I would like to configure my access ports so that when a computer is plugged in to the port, it will only let it onto the network if the computer has a valid certificate. I have 3850 switches.

show aaa servers detail shows that the RADIUS server is up, but no requests are being sent to it:

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1812, acct-port 1813
State: current UP, duration 1653614s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 1657968s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD: current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0

Here is my configuration:

aaa new-model
!
!
aaa group server radius NPS_Servers
server name AZR-NPS-01
!
aaa authentication dot1x NPS_List group NPS_Servers
!
!
!
!
!
aaa server radius dynamic-author
client xx.xx.xx server-key xxxxxxxxxx
aaa session-id common

interface GigabitEthernet2/0/23
description 802.1x test
switchport access vlan 103
switchport mode access
access-session host-mode single-host
access-session port-control auto
dot1x pae supplicant

***** the command dot1x port-control auto is accepted vbut doesn't show on the config.

What am I missing?

Re: 802.1x port authentication using Microsoft NPS

Arne Bier — Tue, 02 Aug 2022 20:53:40 GMT

Hello @edcrawford

I would start with the aaa command, which seems to be referencing a method list - rather use the 'default' method list as shown below:

aaa authentication dot1x default group NPS_Servers

You also need the aaa authorization:

aaa authorization network default group NPS_Servers

Do you have this command?

dot1x system-auth-control

802.1X on switches is quite fussy. Needs a lot of specialised commands to make it work well.

For a really thorough discussion on the topic you should reference the Prescriptive Guide - it's excellent.

Re: 802.1x port authentication using Microsoft NPS

W-ALI — Tue, 02 Aug 2022 22:28:58 GMT

I configured it on Switches 3560 as following and working fine

On Switch:

aaa new-model

radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 080211111111 ( set your radius IP & Key )

aaa authentication dot1x default group radius

dot1x system-auth-control

On SW Port:

switchport mode access

authentication port-control auto

dot1x pae authenticator

++++++++++++++++++++++++++++++++++++++++++

On PC:

1-Service

2- NIC

++++++++++++++++++++++++++++++++++++++++++++++++++++

On Radius_NPS:

-Add the Client

Configure Network Policies with conditions & constraints

Re: 802.1x port authentication using Microsoft NPS

edcrawford — Wed, 03 Aug 2022 17:40:15 GMT

I added aaa authorization and now I see request tick up on show aaa servers, if I run "test aaa group NPS_Servers test-user test-password new-code". It doesn't, however, tick up if I plug a machine into the port that is configured for dot1x.

Also, the odd thing, I would expect that the default would be not to let me on the network when I plug into the dot1x configured port if i do not have a certificate, but it does.

Re: 802.1x port authentication using Microsoft NPS

edcrawford — Wed, 03 Aug 2022 17:50:22 GMT

The switch part looks very similar to what I have, with exception that I have dot1x pae supplicant, rather than dot1x pae authenticator. I changed it and it doesn't seem to make a difference. Right now, if I plug into the port, it will let me on the network whether I have a certificate or not, and I don't see any requests going the the RADIUS. I do see requests going to the RADIUS, and NPS Server logs if I run "test aaa group NPS_Servers test-user test-password new-code". The PC and NIC settings look interesting, but in the first instance, I am trying to get it to fail when I plug in with no certificate. Once that happens, and I see requests being sent to the RADIUS server, then I can enable to PC service.

Re: 802.1x port authentication using Microsoft NPS

Arne Bier — Wed, 03 Aug 2022 20:21:20 GMT

I would really recommend you look at that Prescriptive Guide document I linked to earlier. There is no need to hack your way through this - there is a set list of common switch commands that are necessary to make this delicate system do what it needs to do.

If you're not seeing anything on the NPS then there will be some commands missing on the switch.

Basic checks

- can you ping the NPS from the switch?

- the command "test aaa ..." is a good command to see if the RADIUS server receives anything - but keep in mind that the IOS sends a PAP Access-Request - if your NPS is not configured to handle PAP, then you might not get any response (e.g. an Access-Reject/Access-Accept is a sign that NPS replied - but a timeout is a sign that NPS didn't react)

- Is your switch configured in NPS and does it have the same RADIUS shared secret as what's on the switch?

- Don't use command pae supplicant on the switch - the switch must not act as the supplicant - it's always the authenticator

- Read the Prescriptive Guide

- Be aware that, once you get RADIUS working, that you might have the switch interface in Monitor Mode - in that case the interface will always be authorized if RADIUS sends back Access-Accept (try to avoid the command "access-session closed" in the early days until you are ready to move to Closed Mode)

- NPS is a poor choice for a RADIUS platform unless you have nothing else - you will need a good grasp of how to configure it exactly- it's pretty bad at logging and debugging - why not spin up a Cisco ISE Eval instead?

Re: 802.1x port authentication using Microsoft NPS

thomas — Mon, 15 Aug 2022 22:14:23 GMT

The contains our best practice switch configurations for RADIUS and 802.1X

Re: 802.1x port authentication using Microsoft NPS

dabitgall21 — Mon, 17 Jun 2024 17:01:24 GMT

Hello everyone

¿Can somebody help me please? I need to provide network access to Out-of-domain computers by NPS

i have the following configuration

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common

dot1x system-auth-control

radius-server host 10.3.1.12 key cisconps
!
radius server PCRADIUS-123
address ipv4 10.100.1.12 auth-port 1812 acct-port 1813
key shared24

On port i have this configuration:
interface GigabitEthernet1/0/9
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

I can provide access to network by NPS but just for Computers within the domain, now i need to provide the access to a guest network in Out-of-domain computers.

I hope you can help me, regards.

Re: 802.1x port authentication using Microsoft NPS

Arne Bier — Mon, 17 Jun 2024 20:38:15 GMT

@dabitgall21 - it's a bit of a long answer and this thread is quite old. I would suggest the following. Guest portals have many moving parts, and you can watch how it's built, step by step on www.labminutes.com (SEC0338 and onwards - this is for BYOD specifically, but he talks through the ISE portal creation and switch config necessary - you can use his guidance to setup a normal Guest Portal instead of a BYOD portal) - in general, labminutes is an excellent tutorial website.

And of course, a handy reference when you need config details, is the Cisco Guest Prescriptive Guide.