Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9494
Views
21
Helpful
8
Replies

802.1x port authentication using Microsoft NPS

Go to solution
edcrawford
Level 1
Level 1

‎08-02-2022 01:04 PM

I have a PKI environment and NPS servers.  We issuer certificates to machines and they use these certificates to authenticate to the Always on VPN.  I would like to configure my access ports so that when a computer is plugged in to the port, it will only let it onto the network if the computer has a valid certificate.  I have 3850 switches.  

 

show aaa servers detail shows that the RADIUS server is up, but no requests are being sent to it: 

 

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1812, acct-port 1813
State: current UP, duration 1653614s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 1657968s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD: current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0

Here is my configuration:

aaa new-model
!
!
aaa group server radius NPS_Servers
server name AZR-NPS-01
!
aaa authentication dot1x NPS_List group NPS_Servers
!
!
!
!
!
aaa server radius dynamic-author
client xx.xx.xx server-key xxxxxxxxxx
aaa session-id common

interface GigabitEthernet2/0/23
description 802.1x test
switchport access vlan 103
switchport mode access
access-session host-mode single-host
access-session port-control auto
dot1x pae supplicant

 

***** the command dot1x port-control auto is accepted vbut doesn't show on the config.

What am I missing?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-02-2022 01:53 PM

Hello @edcrawford 

I would start with the aaa command, which seems to be referencing a method list - rather use the 'default' method list as shown below:

aaa authentication dot1x default group NPS_Servers

 You also need the aaa authorization:

aaa authorization network default group NPS_Servers

Do you have this command?

dot1x system-auth-control

802.1X on switches is quite fussy. Needs a lot of specialised commands to make it work well.

For a really thorough discussion on the topic you should reference the Prescriptive Guide - it's excellent.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-15-2022 03:14 PM

The ISE Secure Wired Access Prescriptive Deployment Guide contains our best practice switch configurations for RADIUS and 802.1X

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎08-02-2022 01:53 PM

Hello @edcrawford 

I would start with the aaa command, which seems to be referencing a method list - rather use the 'default' method list as shown below:

aaa authentication dot1x default group NPS_Servers

 You also need the aaa authorization:

aaa authorization network default group NPS_Servers

Do you have this command?

dot1x system-auth-control

802.1X on switches is quite fussy. Needs a lot of specialised commands to make it work well.

For a really thorough discussion on the topic you should reference the Prescriptive Guide - it's excellent.

Go to solution
edcrawford
Level 1
Level 1
In response to Arne Bier

‎08-03-2022 09:51 AM - edited ‎08-03-2022 10:40 AM

I added aaa authorization and now I see request tick up on show aaa servers, if I run "test aaa group NPS_Servers test-user test-password new-code".  It doesn't, however, tick up if I plug a machine into the port that is configured for dot1x. 

Also, the odd thing, I would expect that the default would be not to let me on the network when I plug into the dot1x configured port if i do not have a certificate, but it does.  

0 Helpful

Go to solution
W-ALI
Level 1
Level 1

‎08-02-2022 03:28 PM

I configured it on  Switches 3560 as following and working fine

On Switch:

aaa new-model

radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 080211111111 ( set your radius IP & Key )

aaa authentication dot1x default group radius 

dot1x system-auth-control

 

On SW Port:

switchport mode access

authentication port-control auto

dot1x pae authenticator

++++++++++++++++++++++++++++++++++++++++++

On PC:

1-Service

WALI_0-1659478617355.png

 

2- NIC

WALI_1-1659478617367.png

 

WALI_2-1659478617385.png

 

WALI_3-1659478617400.png

++++++++++++++++++++++++++++++++++++++++++++++++++++

On Radius_NPS:

-Add the Client

WALI_4-1659478617414.png

Configure Network Policies with conditions & constraints

WALI_5-1659478617433.png

 

WALI_6-1659478617444.png

 

WALI_7-1659478617453.png

 

Go to solution
edcrawford
Level 1
Level 1
In response to W-ALI

‎08-03-2022 10:49 AM - edited ‎08-03-2022 10:50 AM

The switch part looks very similar to what I have, with exception that I have dot1x pae supplicant, rather than dot1x pae authenticator.  I changed it and it doesn't seem to make a difference.  Right now, if I plug into the port, it will let me on the network whether I have a certificate or not, and I don't see any requests going the the RADIUS.  I do see requests going to the RADIUS, and NPS Server logs if I run "test aaa group NPS_Servers test-user test-password new-code".  The PC and NIC settings look interesting, but in the first instance, I am trying to get it to fail when I plug in with no certificate.  Once that happens, and I see requests being sent to the RADIUS server, then I can enable to PC service.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎08-03-2022 01:21 PM

I would really recommend you look at that Prescriptive Guide document I linked to earlier. There is no need to hack your way through this - there is a set list of common switch commands that are necessary to make this delicate system do what it needs to do.

If you're not seeing anything on the NPS then there will be some commands missing on the switch.

Basic checks

- can you ping the NPS from the switch?

- the command "test aaa ..." is a good command to see if the RADIUS server receives anything - but keep in mind that the IOS sends a PAP Access-Request - if your NPS is not configured to handle PAP, then you might not get any response (e.g. an Access-Reject/Access-Accept is a sign that NPS replied - but a timeout is a sign that NPS didn't react)

- Is your switch configured in NPS and does it have the same RADIUS shared secret as what's on the switch?

- Don't use command pae supplicant on the switch - the switch must not act as the supplicant - it's always the authenticator

- Read the Prescriptive Guide

- Be aware that, once you get RADIUS working, that you might have the switch interface in Monitor Mode - in that case the interface will always be authorized if RADIUS sends back Access-Accept (try to avoid the command "access-session closed" in the early days until you are ready to move to Closed Mode)

- NPS is a poor choice for a RADIUS platform unless you have nothing else - you will need a good grasp of how to configure it exactly- it's pretty bad at logging and debugging -  why not spin up a Cisco ISE Eval instead?

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-15-2022 03:14 PM

The ISE Secure Wired Access Prescriptive Deployment Guide contains our best practice switch configurations for RADIUS and 802.1X

0 Helpful

Go to solution
dabitgall21
Level 1
Level 1

‎06-17-2024 10:01 AM

Hello everyone

¿Can somebody help me please? I need to provide network access to Out-of-domain computers by NPS

i have the following configuration

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common

dot1x system-auth-control

!

radius-server host 10.3.1.12 key cisconps
!
radius server PCRADIUS-123
address ipv4 10.100.1.12 auth-port 1812 acct-port 1813
key shared24

 

On port i have this configuration:
interface GigabitEthernet1/0/9
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

I can provide access to network by NPS but just for Computers within the domain, now i need to provide the access to a guest network in Out-of-domain computers.

I hope you can help me, regards.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to dabitgall21

‎06-17-2024 01:38 PM

@dabitgall21 - it's a bit of a long answer and this thread is quite old. I would suggest the following.  Guest portals have many moving parts, and you can watch how it's built, step by step on www.labminutes.com (SEC0338 and onwards - this is for BYOD specifically, but he talks through the ISE portal creation and switch config necessary - you can use his guidance to setup a normal Guest Portal instead of a BYOD portal) - in general, labminutes is an excellent tutorial website.

And of course, a handy reference when you need config details, is the Cisco Guest Prescriptive Guide.

0 Helpful
Customers Also Viewed These Support Documents