Port-Security for mobile devices as laptops

santoshbajimaya · ‎01-07-2019

Hey everyone,

I have been researching and testing port-security to be implemented in our network switches. I am quite confused on how can we properly manage port-security for Laptops as they keep on moving throughout the network. I can't just configure sticky or static mac addresses for those laptops throughout my network and there are about a dozen of laptops.

Thank You in advance.

Patrick.Williams · ‎01-07-2019

Cisco VMPS would be the perfect solution to allow you to roam based on your mac address however this feature was discontinued way back in IOS release 12.2, the alternative would be to implement 802.1x authentication on the switch and authenticate via a radius server. keep in mind that these devices will be connected to designated ports as your other devices such as IP pones would have to support this feature in order to operate.

Info on 802.1x Authentication

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html

P.Williams

santoshbajimaya · ‎01-08-2019

Thank you for the information Patrick. I do have one NPS server for authenticating users to log in to network switches through radius authentication querying my AD.

I tried to follow the instructions from your weblink but could not succeed.

However, I will be researching on it and testing the port-control.

Thank You once again.

Patrick.Williams · ‎01-08-2019

Please see the sample config for a switch if you require a sample of a windows client i can provide that as well,

***Remember to rate the post as well****

Switch(config)# ip routing
Switch(config)# aaa new-model
Switch(config)# username admin secret MyPassword

Switch(config)# radius-server host 10.0.0.100 auth-port 1812 acct-port 1813 key MyRadiusKey

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control
Switch(config)# interface g0/12
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto

Note that the interface must be set to static access mode. If left in dynamic mode (where DTP is used to negotiate the port's function as either access or trunking), the switch will issue an error message stating that 802.1X cannot be configured on dynamic ports.

If you're inquisitive like me and issue a question mark to invoke the context-sensitive help in the midst of issuing a new command, you might have noticed that the dot1x port-control interface command has three options. These are:

    auto - Normal 802.1X authentication
    force-authorized - No 802.1X authentication is used (this is the default setting, to prevent service interruption while deploying 802.1X)
    force-unauthorized - Ignores authentication attempts, port is always unauthorized

You can use the show dot1x command to verify the configuration of your client-facing interface:


Switch# show dot1x interface g0/12
Supplicant MAC 
   AuthSM State      = N/A
   BendSM State      = N/A
PortStatus        = N/A
MaxReq            = 2
MaxAuthReq        = 2
HostMode          = Single
PortControl       = Auto
QuietPeriod       = 60 Seconds
Re-authentication = Disabled
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds
SuppTimeout       = 30 Seconds
TxPeriod          = 30 Seconds
Guest-Vlan        = 0

P.Williams

santoshbajimaya · ‎01-09-2019

I had configured my Cisco switch with the same configs that you have suggested. But it didn't work. Might be I don't have a clear idea on how it works. I am still researching this issue and testing on one of the network switches.
I was wondering once we configure the dot1x in a switch and all setting is done in NPS server, how does it look like when I connect a computer to dot1x enabled port? Do I get a window asking for credentials or something else?
I tried to google some videos on this but could not find more.

Thank You

Rob Ingram · ‎01-09-2019

Hi,
I assume the computers are Windows laptops and joined to an AD domain? You would need to configure the Windows Native Supplicant to perform authentication. You can create a Group Policy Object and apply to the computers/users, configuring them to use 802.1x and specify the EAP protocol to use e.g PEAP/MSCHAPv2 or EAP-TLS (whatever you configured NPS to use) and specify whether to perform computer and/or user authentication. With the GPO configured authentication of the laptops using 802.1x would be transparent.

HTH

santoshbajimaya · ‎01-09-2019

Hi RJI,
Thanx for the information. I just want to test and verify the 802.1x port-authentication in one of the laptops what are joined to AD before proceeding to a larger scale creating a group policy.
I enabled the Wired autologin services and edited the Network properties for the adapter to accept 802.1x traffic. But could not really get success today. I tried changing various options available for the 802.1x setting, but not of them worked. I got the "Authentication failed" message in my network adapter though.
So, still testing and trying my best.
Thank You

Rob Ingram · ‎01-09-2019

What error messages do you get on the NPS server?

Does the client computer have a certificate issued from the AD Domain and the same certificate is trusted on the NPS server.

Does this link provide some information to help configure NPS and the client

santoshbajimaya · ‎01-09-2019

Thank you for the link RJI. I did all the configs in my switch, Radius server and tested one laptop enabling the 802.1x port authentication feature with proper authentication method, but it didn't work. I ran wireshark in my Radius server and looked for EAP packets but didn't get a single traffic. I think my firewall might be blocking the traffic.
I will look at my firewall and verify that.
Thank You

Rob Ingram · ‎01-09-2019

You wont see EAP packets if you capture traffic on the RADIUS server, you would see RADIUS traffic (ports 1812/1813 or 1645/1646). You'd see EAP packets between client and switch, these are then encapsulated in a RADIUS packet from switch to RADIUS server.

Did 802.1x actually run on the switch? Check the output from "show authentication session interface Gig x/x" - this would show if dot1x actually ran. If it didn't please provide your full configuration for review.

The Windows Event Logs for NPS would confirm whether there was an attempted authentication and if it fails would provide a clue as to why it fails.

HTH

santoshbajimaya · ‎01-09-2019

I checked for the eap traffic thought in the radius server. I will check for the radius traffic once again.

Also, i have configured the port as below:

interface GigabitEthernet1/0/4
switchport access vlan 700
switchport mode access
authentication port-control auto
spanning-tree portfast

I don't get the option on dot1x for the port-control;

DISW06E(config-if)#dot1x ?
authenticator Configure authenticator parameters
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts

I don't know why. Might be because of my iso image version.

Rob Ingram · ‎01-09-2019

You need a few more interface level commands configured for dot1x to work. E.g:-

Interface

interface gigabitethernet 1/0/1
switchport mode access
switchport access vlan 11
spanning-tree bpduguard enable
spanning-tree portfast
authentication event fail action next-method
authentication host-mode single-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

Global

aaa new-model
ip device tracking
dot1x system-auth-control

aaa group server radius ISE
server 192.168.10.14 auth-port 1645 acct-port 1646
server 192.168.10.4 auth-port 1645 acct-port 1646
load-balance method least-outstanding batch-size 5

aaa server radius dynamic-author
client 192.168.10.4 server-key cisco1234
client 192.168.10.14 server-key cisco1234

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic
aaa accounting dot1x default start-stop group ISE

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
radius-server host 192.168.10.4 auth-port 1645 acct-port 1646 key cisco1234
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication

santoshbajimaya · ‎01-14-2019

I am sorry I was out for a while. I will be testing the configuration today though.

Thank you for your help.

santoshbajimaya · ‎01-17-2019

Hi,
I tested my 802.1x authentication. I get a login window when I plug-in network cable to my laptop. But after entering the credentials, it gets rejected. I checked all my configuration in the switch and the Radius server as well. Everything looks fine but the authentication fails.
I don't know why.