Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
10
Helpful
13
Replies

802.1x Authentication

kevin.hong1
Level 1
Level 1

‎06-22-2016 05:43 PM - edited ‎03-10-2019 11:53 PM

Dear All,

I need help on how to setup an 802.1x authentication using a radius server, switch and a laptop.

Can anyone guide me on how to do the setup as I have zero knowledge about this?

Labels:
0 Helpful
13 Replies 13

Francesco Molino
VIP Alumni
VIP Alumni

‎06-22-2016 06:38 PM

Hi

I've already answered this kind of question. 

I will drop here the link. Let have a read and let me know if you need more information.

https://supportforums.cisco.com/discussion/13042996/cisco-ise-small-network-deployment

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf

The 1st link if for switch configuration and 2nd is from Cisco for ISE configuration

Which server you're planning to use as radius?

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎06-23-2016 02:35 AM

Hi!

I do not have a radius server, but I am suppose to configure the 802.1x authentication to confirm that the configuration is correct.

Is there any radius server software which you have used before, because I may be posting more questions as I really have no idea about this authentication system.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎06-23-2016 04:32 AM

Hi I'm always using Cisco ACS or Cisco ISE today. There is also the one integrated with Microsoft Windows server called NCS.

These are the 3 most common solutions on enterprise architecture.

You can't test 802.1x without radius server. 

There is freeradius, I used few times but it looks more complex if you don't have any Linux skills.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎06-23-2016 06:20 PM

Hi! supportlan,

Thanks for your links, but I think I have difficulty understanding and I also do not know how to start or where to start.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎06-23-2016 07:05 PM

Hi

if you need to start, follow this steps:

- install a radius server

- configure it with your AD (for authentication)

- create your authentication profiles

- create your authorization profiles

- create your rules

- send through your AD or another certificate root server certificates to your pcs (lab pc before for testing)

- rules on radius are like firewalls, first match

- insure you have the last rule which is in permit mode

- install a switch in lab

- connect it to your radius

- do some tests. ( you can have 2 modes: monitoring only and then rules applies)

- when you are sure with your rules, go in prod step by step (switch per switch)

- when you have finished and everyone is production, and you don't see all machines taking the default permit rule, change this default rule in deny mode.

you've done.

if you have never done it, do some labs for testing otherwise it will be a nightmare to troubleshoot something you don't know.

thanks

PS: please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎07-14-2016 06:13 PM

Ok, to tell you the truth, is there anyway I can chat with you on the setting up of this 802.1x authentication?

I have some old cisco equipment.

Can guide me on this setup as I really have no idea at all?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎07-14-2016 07:36 PM

You can send me pm if you want. Starting a dot1x project from scratch is more than just configuring port switch. 

What type of authentication you want for dot1x:

- user/password = called MSCHAPv2

- certificate = called EAP-TLS

on certificate you can use machine and/or user certificate. 

Do you have an Active Directory server? Does it have certificate services installed ?

there is 1 more authentication to consider that's MAB (Mac Address Bypass) that means you need to get all printers mac address. 

You really need to think first to authentication method. Then you need to do inventory of all devices that will be authenticated by mac address (all devices connected on network that are not supporting dot1x authentication)

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎07-14-2016 07:52 PM

Hi!

In the current client setup, there is a login AD to authenticate usernames and passwords

There is also a GPO, where laptops are connected to the wifi using a certificate.

My boss wants to setup a system where when the laptop is connected, it will auto authenticate it. Let's say this is a company laptop and connected to the AD, then it will have access to network resources using one vlan.

If a laptop that is used by a non-client, then it will will have access using another vlan.

Are these details sufficient? Is there anything else you would like to know?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎07-14-2016 08:33 PM

If you have already an AD I will recommend the use of NPS. 

you will need to configure a vlan "push" for authenticated devices (dot1x and mab) and define a vlan as default that will be your "guest" vlan. By default if not authenticated the radius is pushing a deny. 

You have a Microsoft link that can help you:

https://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎07-14-2016 08:40 PM

I will not be touching the client's network environment and so I am going to simulate a network by creating an AD and then setup the 802.1x authentication

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎07-14-2016 08:47 PM

Yes for sure and if you have issues you can pm me


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

kevin.hong1
Level 1
Level 1
In response to Francesco Molino

‎07-14-2016 06:10 PM

The Cisco ACS or ISE, are they paid softwares? I also have little knowledge using Linux.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to kevin.hong1

‎07-14-2016 07:27 PM

Yes there are paid software. 

For free you can use Windows NPS as it is included on windows server. 

 On Linux based you have freeradius

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue  


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents