[4Juniors] Implementation of authentication RADIUS and DOT1X.

João Romão · ‎06-21-2023

Hi,

After a few years I've made the first post.

I made a project in GNS3 where I've implemented authentication login RADIUS and DOT1X for hosts.

The motive of this post is always improve everyone knowledge but also present, my simple point of view, a good solution with very few resources (literally). For the objective I made this simple footsteps.

Summary:

- RADIUS allow a centralized controller for authentication and autorization.

- Login to nodes (intermediate devices) & end-users must use credentials to gain network access.

- DOT1X: supplicant uses an EAPOL START to authenticator for beging authentication process. It exchange EAP messages with authentication server, and when credentials validated, EAPOL SUCCESS to the supplicant.
- ISO: c3745-adventerprisek9-mz.124-25d.image, c3745-adventerprisek9_ivs-mz.124-15.T8.image, linux-microcore-6.4.img

PROBLEM:

"Weak Laptop, can't stand two VMs (i.e. MS XP or Server)"

- So I used an Linux appliance 'MicroCore Linux' (CLI), because the only use of it is: Authenticate with 802.1X
This 'littleguy' have some configs to do it:

a: (assuming connectivity its onfire) Install < $ tce-load -iw wpa_supplicant.tcz >;

b: create vi .conf file (example: # vi /etc/authdot1x.conf);

c: issue:

ctrl_interface=/var/run/wpa_supplicant %execute program

ap_scan=0 %no AP lookup.

network={ %Config specific network

key_mgmt=IEEE8021X %port-based 802.1X

eap=MD5 %authentication method

identity="bob" %default credentials available in docker AAA

password="gns3"

eapol_flags=0 %no specific flags

} I've limited knowledge about all this commands. Thx for any help.

d: execute prg: # wpa_supplicant -B -Dwired -ieth0 -c/etc/authdot1x.conf.

- EAP Process:

- Configurations:

a: basic config -> Router

interface FastEthernet INT/ID
ip address IP-ADDR MASK-ID
no shutdown
% R _CB : 0/0 – 192.168.10.1 255.255.255.0 ; 1/0 – dhcp %Public IP ; 4/0 - 192.168.100.1 255.255.255.0
!
ip nat inside source list 10 interface FastEthernet1/0 overload
access-list 10 permit 192.168.10.0 0.0.0.255 %All private addr are translated for fa1/0
!
interface range FastEthernet0/0, f4/0 %private interfaces
ip nat inside
!
interface FastEthernet 1/0 %external interface

ip nat outside

b: RADIUS login -> Routers & Switches

username backup password backup %local credentials if AAA offline
aaa new-model
aaa authentication login default group radius local %%RADIUS server authenticates login
radius-server host 192.168.100.20 auth-port 1812 acct-port 1813 key gns3 %RADIUS addr & ports + validation key

c: DOT1X -> Switch

aaa authentication dot1x default group radius %%%
aaa authorization network default group radius
dot1x system-auth-control
!
int range FastEthernet1/1 – 9
dot1x port-control auto
dot1x pae-authenticator %ports are authenticated by this device (the authenticator)

MY GOAL: help as much as I can, because this simple application help prove this concept
But for more expert colleagues, I want to receive opinions and improve this post (for future ones).
And, with this topology it's possible to un-configure VLAN and give the RADIUS server the ability to atribute a respective VLAN (after given VLAN, DHCP will give IP accordingly)? NOTE: assuming the GNS3 AAA docker.

Thanks you all.
(If similar post already exists, please tag me!)

Portuguese tags: Segurança em Redes, Autenticação RADIUS (AAA), Exemplo simples.

Arne Bier · ‎07-02-2023

Hi. Nice one! That's a great initiative for someone wanting to play with 802.1X using GNS3.

I would only add one thing - the IOS images are very old and things have changed quite a lot in IOS-XE (IBNS 2.0 etc.) - while the MAB/802.1X concepts are mostly unchanged since those old IOS images, the commands for newer IOS and IOS-XE are quite drastic. And this GNS lab setup does assume that the user has a (legit) image of IOS (or IOSvl2 etc.) - there is an IOS-XE image available as part of Cisco CML - but it's very resource hungry and it's quite new.

João Romão · ‎07-04-2023

@Arne Bier big thanks for your appreciation and recommendations the goal is to keep simple and focus on learning protocols. In my college it is a harsh reality, everything must be virtualize. The given 'official images' are indeed old (c3745), but for a free and educational purpose we use what is available (tried to ask Cisco Portugal for some images, but no luck hahah).
Discussing this with a colleague, who sent me this: Introduction to Cisco IOS XE (networklessons.com) and suggested the Cisco CSR1000v (available for free to GNS3), but it cost at a bit RAM on LAB PCs of 4GB (maybe next year the school will have a workstation or, maybe, CML). Once again thanks for the heads up!

Arne Bier · ‎07-04-2023

I've had CML subscription for a number of years and the images that come with the CML work quite well - each update to CML contains newer images. So, I would recommend scraping together a few Pennies and buying a CML subscription.