Re: ASK THE EXPERTS - Dot1x Flexible Authentication

ciscomoderator · ‎01-14-2011

with Tiago Antunes and Federico Lovison

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about Dot1x Flexible Authentication and how the IBNS authentication features on the Cisco Catalyst switches can help in providing customized access control for wired LAN networks leveraging 802.1X with Cisco experts Tiago Antunes and Federico Lovison. Tiago is a Customer Support Engineer at the Cisco Technical Assistance Center in Belgium, where he specializes in solving high-severity issues in wireless networks, network admission control setups, identity based networking and 802.1X setups, and Authentication, Authorization and Accounting solutions. Tiago holds a bachelor's and master's degree in electrotechnical and telecommunications engineering from the Polytechnic Institute of Castelo Branco, Portugal. He holds CCIE R&S and Wireless certification # 23784. Federico is a customer support engineer at the Cisco Technical Assistance Center in Brussels, where he has been part of the wireless and AAA team since joining Cisco in 2007. He supports customers on AAA products (Cisco Identity Based Network Services, Secure Access Control Server, and Network Access Control appliance) and wireless products; he also provides training for Cisco engineers on AAA-related subjects. Federico holds a bachelor's degree in telecommunications engineering from the University of Padova, Italy, and CCIE Wireless certification #23307.

Remember to use the rating system to let Tiago and Federico know if you have received an adequate response.

Tiago and Federico might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security discussion forums shortly after the event. This event lasts through January 28, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

jwarner · ‎01-16-2011

As a school, we havea high count of user-owned computers where we do not have administrative rights. What advice can you give to help with client-side configration of dot-1x? We have heard of XpressConnect from CloudPath. Does Cisco have anything similar? Have you seen any user instructions for setting up clients for 1x that you can recommend? We will be using MS-CHAPv2/PEAP.

Since this was my question, I thought there was supposed to be a button to indicate I liked the answer. I don't see the button. But I like the answer. Thank you. It was/is definitely interesting reading and full of good info.

Message was edited by: jwarner

Federico Lovison · ‎01-16-2011

Hello Jim!

Thanks for joining this Ask the Experts session!
The currently available Cisco 802.1x supplicant is the Cisco Secure Services Client (SSC):
http://www.cisco.com/en/US/products/ps7034/index.html

I'm not sure how the XpressConnect from CloudPath works, however, the Cisco SSC doesn't provide with a software provisioning system.
In Cisco SSC you have a management tool that allows you to generate a config file and package this in MSI formato, so that you can then provision this package to your clients using your preferred method which is more suitable to your environment.
If the end user has admin rights on his client, you may distribute the MSI installation package that the end user will then install on his client.

Please check the following page for more details about how to configure SSC and creating the installation package:
http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1/administration/guide/C3_DeploySSC.html

When planning the use of Cisco SSC, please take into account the system requirements on the client:
http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/release/notes/ssc51118xp_RN.html#wp49095

I hope this helps!

Best Regards,
Federico

--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Tiago Antunes · ‎01-18-2011

Hi all,

In case you want to get started here is a deployment guide with config examples:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html.

This document is intended to provide enough information to allow for a pilot of several key features in a prescriptive manner in order to become familiar with Identity-based Networking and understand the power of these new enhancements. This document is not intended to be an exhaustive detailed guide to configuring all of the IBNS features, or possible options with regards to 802.1X clients, backend Identity repositories, EAP Methods, NAC Profiler integration or Guest Access services.

Thanks,

Tiago

adamgibs7 · ‎01-24-2011

Hello Experts,

I m very new to 802.1X technology i have read about it and i have many doubts.I have ACS 5.0 in my network i want to apply a security on Access switches ports, I have read about MD5,PEAP,LEAP,EAP-TLS but i dont know how to implement it with ACS,

i have read that when user connects its laptop it doesnt get any IP address until the port is authorized but where the port goes to authorize if it goes in ACS then what does the port carrys to authenticate its identity.

I m very much blank for this concepts i want some tips for getting started with 802.1X authentication for switch ports.

Thanks

Tiago Antunes · ‎01-24-2011

Hi,

You are correct, the PC does not get IP address until the port is authorized and it does not need it to authenticate because the authentication is all L2 for the client.

Basically the client PC will talk EAP and the switch will get these EAP packets and encapsulate inside RADIUS packet and forwards to the ACS, the ACS replies to switch with RADIUS pacekt which also contain the EAP response to the client, so the switch will take out the EAP frame and send it to the client.

Once the authentication is successful the ACS sends and RADIUS-ACCEPT which contains an EAP-Success inside, the switch processes the Accept and forwards the success to the client.

The switch authorizes the port only when/if it receives an Accept.

HTH,
Tiago

adamgibs7 · ‎01-24-2011

Hello Tiago,

For Example:

As when we login in windows we put are username and password to authenticate in AD,as same with switches, What switch port carries to authenticate itself to AAA server??? is there any username or password for switches or what other things are required to authenticate a switch port,

What are the steps to configure AAA 5.0 to authenticate dot1.X client.

Thanks

Federico Lovison · ‎01-24-2011

Hi,

As you correctly said, you can indeed authenticate 802.1x users using credentials on the AD domain.

However, the process will work as described by Tiago, meaning that in any case the 802.1x authentication happens before the client gets any IP address and the credentials are exchanged over 802.1/EAP/RADIUS between the client (supplicant) and the RADIUS server.

In order to use the AD credentials, some config has to be specifically done both on the supplicant and RADIUS server side.
The supplicant side depends on which software you use (e.g. the built-in Windows Zero Config or for example Cisco Secure Services Client..), but the idea is anyway that if you don't want the user to type the AD credentials twice, once to logon onto the PC and once to perform 802.1x authentication, so the supplicant can re-use the same username and password that you typed for the AD logon also for the 802.1x authentication.

Please note that in this case, if the client doesn't have an IP address at the time of the AD logon (as 802.1x auth has not happened yet and there are no cached credentials from a previous AD auth), the AD auth on the client may fail.

In order to address this, some supplicants (as for instance Cisco SSC) allow you to use the user-pw that you type on the Windows logon and this info is used to perform the 802.1x auth first, whereas the actual AD auth is put "on hold" untill the client has full IP connectivity (so after a successful 802.1x auth).

An alternative to this method is to use machine authentication, where you can grant IP connectivity to the client by allowing the machine to perform 802.1x authentication using the AD account that belongs to the machine itself (so this authentication happens at the boot time with no intervention required by the user).

This document describes how to configure ACS 5.1 to authenticate 802.1x users using the PEAP Auth method:

http://www.cisco.com/en/US/customer/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

Although this doc is focused for wireless users and it covers also the Cisco Wireless LAN Controller configuration, the steps to configure ACS are the same for wired users as well:

http://www.cisco.com/en/US/customer/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml#certsetup

So basically the main steps are (refer to the document for a full description):

- install a server SSL certificate to be installed on ACS (this is required because of the PEAP method)

- configure the Active Directory identity store (that's how to allow ACS to authenticate users using AD credentials)

- add the AAA client to ACS (in the example it refers to a "controller", but that has to be done for a switch in the same way)

- configure the access policies

The document covers also an example for the client configuration using the Windows supplicant:

http://www.cisco.com/en/US/customer/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml#zerotouch

You can refer to this also for the wired configuration, as the EAP-PEAP config will be the same, although some wireless-specific details (e.g. SSID config) would not be present on a wired interface config.

Take into account that this is just an example and you can actually implement a more complex policy set on ACS in order to authorize different users based on additional parameters (e.g. device they logon to, logon time, AD group membership.. etc).

In this sense, I think that the ACS 5 config guide has a very good chapter describing the policy model so you may want to go through it as well:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/policy_mod.html

I hope this helps.

Regards,

Federico

pankaj.kakade · ‎01-26-2011

How to authenticate wireless client with machine or user certificate

Tiago Antunes · ‎01-26-2011

Hi Pankaj,

Please note that this topic if for dot1x on switches.

If you want to discuss about dot1x on wireless i invite you to open a new post and i will be more than happy to answer your questions.

Thanks,

Tiago

estelamathew · ‎01-28-2011

Hello Experts,

I m facing issues with the below thread, the guy (federico Zilloto) who answered my thread he helped me for any extend, but i think he is on leave that 's the reason i m looking no mail from federico Zilloto. Can u experts help me for this issue i know this is outline topic from Dot1x but if u can help me than it will will be appreciable.

https://supportforums.cisco.com/thread/2060936?tstart=0

Thanks.

pankaj.kakade · ‎01-28-2011

We have dot1x configured for wired connection and its working fine but some time we received below error for failed connection

Error :Authen session timed out: Challenge not provided by client

Can you suggest me solution for this.

Regards

Pankaj

Tiago Antunes · ‎01-28-2011

Hi,

This message means that for some reason the supplicant (PC, phone,etc) did not replied in time.

This can be seen for example if the supplicant does not trust the server certificate or if some error happens on the certificcate checks.

Can you tell us more information about the authentication method? EAP-TLS? PEAP? EAP-FAST?

What is the supplicant software used? Windows ZC? CSSC? IntelProset?

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.