802.1X Port-Based Authentication

michaelglosker · ‎06-18-2023

Hello everyone,

I'm currently exploring the setup of 802.1x port-based authentication with Cisco switches and Active Directory.

Once the configuration was completed on both the switch and the NPS server, I attempted to perform a test aaa. Upon reviewing the NPS audit log, I found that the request was marked as successful. However, when I connected my laptop to the Ethernet port, I didn't receive any authentication request to the NPS server. Instead, I was able to connect directly to the network. Furthermore, when I tried connecting a non-domain computer to the Ethernet port, it was also able to connect to the network, despite 802.1x being implemented on that port.

I'm wondering why my domain laptop was able to connect to the network without requiring any authentication? And When configuring port-based authentication, shouldn't it prompt the user for credentials when they attempt to connect to the Ethernet port?

During the configuration process on the switch, I followed the instructions provided in the following guide:

Link to Cisco Configuration Guide

michaelglosker · ‎06-18-2023

My final goal is allow only to the AD users to connect to the network

MHM Cisco World · ‎06-18-2023

Can I see the config ?

michaelglosker · ‎06-18-2023

AAA Config:

aaa server radius dynamic-author
client 10.10.10.100 server-key 7 08701E1D5D
client 10.10.20.24 server-key 7 0055415550
!
!
radius server radius_server
address ipv4 10.10.20.24 auth-port 1812 acct-port 1813
key 7 0055415550
!
!
aaa group server radius radius_group
server name radius_server
deadtime 5
!
!
!
!
aaa new-model
aaa session-id common

Interface config:

interface GigabitEthernet2/0/13

switchport access vlan 22
switchport mode access
access-session port-control auto
dot1x pae authenticator
service-policy type control subscriber DOT1X

MHM Cisco World · ‎06-18-2023

Many commands missing

Check this link

http://myccie.weebly.com/dot1x-and-nps-lab.html

michaelglosker · ‎06-18-2023

Is it mandatory to create a certificate as part of the process?

MHM Cisco World · ‎06-18-2023

You mention domain' of you use simple username/password I think you can match user to it domain.

So using cert. Is needed

Rob Ingram · ‎06-18-2023

@michaelglosker if you are in "open" authentication mode you will get network access regardless of whether you pass or fail authentication.

You need to configure the supplicant on windows (or anyconnect) to use 802.1X authentication, select the protocol (EAP MSCHAPv2/TLS etc), whether to pass through the credentials (or prompt) and to use machine/user authentication. If using AD use GPO to deploy these settings, the authentications will then be transparent, the users will not be prompted for authentication. Example.

michaelglosker · ‎06-18-2023

Where can i check if I am in "open" authentication mode ?

The supplicant on my Windows device was already set up to utilize 802.1X authentication, similar to the example provided except the "Provide server certificate" configuration

.

Rob Ingram · ‎06-18-2023

@michaelglosker well based on your configuration it looks like you have a policy called DOT1X so you are using IBNS 2.0 configuration, so based on what you provided I assume you are in open mode.

You have not provided a lot of configuration, is dot1x actually enabled globally? Have you configure AAA authentication, authorisation and accounting method list? Class/Policy maps?

Run "show authentication session" if there are no sessions then it's likely AAA/802.1X is not properly setup.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-x-series-switches/207193-Configure-IBNS-2-0-for-Single-Host-and-M.html

michaelglosker · ‎06-18-2023

This is the commands that i used:

Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius
Device(config)# dot1x system-auth-control
Device(config)# aaa authorization network default group radius
Device(config)# radius server
Device(config-radius-server)# address ipv4 10.10.20.24
Device(config-radius-server)# key key

Device(config)# interface gigabitethernet 2/0/13
Device(config-if)# switchport mode access
Device(config-if)# access-session port-control auto
Device(config-if)# dot1x pae authenticator

show authentication session result:

Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi2/0/13 MAC dot1x DATA Unauth 640A0A0A00000015CE5C7CFB

Aref Alsouqi · ‎06-20-2023

The test aaa command initiates the traffic from the NAD, the switch in this case, and it is different from when you connect an endpoint to the switch port, this is why the logs could be different. Regarding the certificates, it is not mandatory, that depends on how you want to authenticate the endpoints and the users.

For example you can decide to do EAP-TLS (certificates) for the machine authentication and then EAP-PEAP (username/password) for the user authentication. Those settings can be adjusted as you want on the NIC dot1x properties and in addition to that you would need to create the right policies on the NPS server to match the incoming authentication requests.

The recommandation would be to use EAP-TLS or even TEAP if possible as both these protocols are more secure comparing to EAP-PEAP.