Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4401
Views
0
Helpful
8
Replies

802.1x authentication on Cisco 3850.

Go to solution
network_geek1979
Level 1
Level 1

‎05-14-2018 03:13 AM - edited ‎02-21-2020 10:55 AM

Folks,

We are looking at some 802.1x authentication for LAN users on a Cisco 3850 switch. With help of some additional support/links we have the below script ready and would like some comments if this would. If this script looks good what are the next steps we need to get for this to work?

 

What we also need to know is what is this Cisco CTS? Is it Cisco Trust Sec? What are the recommendation to get this configured and working?

 

Our Infrastructure would use this Cisco 3850 switch along with ACS servers who would so the authentication. Does anyone have a good link to share with us for the configuration?

 

SCRIPT:

********************************************************************************************************************************

aaa new-model
!
aaa group server radius 802.1x_Group
    server name acs-01.xyz.com
    server name acs-02.xyz.com
!
aaa authentication dot1x default group 802.1x_Group
aaa authorization network default group 802.1x_Group
aaa authorization network 802.1x_List group 802.1x_Group
aaa accounting dot1x default start-stop group 802.1x_Group
!
aaa server radius dynamic-author
    client 1.1.1.1 server-key SECRET
    client 1.1.1.2 server-key SECRET
!
aaa session-id common
!
device-tracking tracking
!
device-tracking policy 802.1x_Policy
    limit address-count 10
    no protocol udp
    tracking enable
!
cts authorization list 802.1x_List
!
dot1x system-auth-control
!
ip radius source-interface Vlan2
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 2 tries 1
!
cts credentials id sw-cisco3850-01.xyz.com password SECRET    /* this command does not work */
!
radius server acs-01.xyz.com
    address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
    pac key SECRET
!
radius server acs-02.xyz.com
    address ipv4 1.1.1.2 auth-port 1812 acct-port 1813
    pac key SECRET
!
radius-server vsa send authentication
radius-server vsa send accounting
!
cts role-based enforcement
!

 

********************************************************************************************************************************

 

 

Thanks!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to network_geek1979

‎05-15-2018 03:31 AM

This is probably a good start:

 

interface GigabitEthernet0/3
 switchport access vlan 11
 switchport mode access
 switchport voice vlan 13
 authentication event fail action next-method
 authentication event server dead action authorize vlan
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-req 1
 spanning-tree portfast edge
 spanning-tree bpduguard enable

 

This interface is in "open" mode, when you want to go into closed mode, just enter the command "no authentication open" on each interface.

 

This interface will prioritise dot1x over mab, if you want to prioritise mab then just change the order.

 

HTH

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2018 04:49 AM

Hi,

 

Yes, CTS = TrustSec

Here is some useful TrustSec links

 

With this configuration here, it looks like you are planning to enroll with ISE this 3850 (assume this is an Access Layer switch), this will download the environment-data (SGTs/Matrix). You have enforcement enabled, which if configured in ISE will download the TrustSec matrix and enforce (apply ACLs). If all the configuration is applied on ISE, you'll be able to filter traffic on the local switch, but unless you configure SXP you won't have any destination SGT's so won't be able to filter traffic destined to the DC.

 

Ultimately what do you plan to do with TrustSec?

 

The cts credentials command needs to be run in exec mode, not global config mode.

 

HTH

0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎05-14-2018 05:10 AM

Thanks for the help and details. :) Honestly, this is something the Cisco TAC gave us.

Our ACS servers are on version 5.5 so I am not sure if the ISE you are talking about would be something different.

 

We really need a simple configuration to being with. Any port which is on the VLAN 2 of this switch need to be prompted with some authentication mechanism. The other ports can have some MAC address defined to ensure other devices do not have a challenge.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to network_geek1979

‎05-14-2018 05:18 AM

Sounds like you don't need TrustSec then, just don't add any CTS commands.

ISE is the replacement for ACS. ACS will still do 802.1x authentication for you, however it is, I believe EOL soon.

What is the configuration of your interfaces?
0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎05-15-2018 12:08 AM - edited ‎05-15-2018 12:11 AM

I still have not done any configuration on the interfaces. Now that we have a initial configuration guide we are trying to join the dots and build the basic authentication working.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to network_geek1979

‎05-15-2018 02:59 AM

I was referring to the 802.1x specific interface commands you'll need to get basic authentication working.
0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎05-15-2018 03:23 AM

ok, in that case that is where we will need some help on. How do we proceed?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to network_geek1979

‎05-15-2018 03:31 AM

This is probably a good start:

 

interface GigabitEthernet0/3
 switchport access vlan 11
 switchport mode access
 switchport voice vlan 13
 authentication event fail action next-method
 authentication event server dead action authorize vlan
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-req 1
 spanning-tree portfast edge
 spanning-tree bpduguard enable

 

This interface is in "open" mode, when you want to go into closed mode, just enter the command "no authentication open" on each interface.

 

This interface will prioritise dot1x over mab, if you want to prioritise mab then just change the order.

 

HTH

0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎05-16-2018 03:33 AM - edited ‎05-16-2018 03:48 AM

Thanks, let me go through this and come back.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents