Network Edge Authentication Topology (NEAT) with Cisco Cat3850's and PKI

chris-lawrence · ‎08-20-2018

Team,

I have a rather successful wired DOT1X solution using EAP-TLS (PKI) running on my Cat3850 network. Ok, it's using ACS still but I'll rollout a better authentication server in the months to come.

I have had to add a layer of switching in front of my authenticator and now want to explore using NEAT by defining a supplicant configuration. I see that I have tried using username/password in the credentials and see my RADIUS light up with deny log entries - I expected to see this as I don't have an ACS access policy defined to allow connection.

I am trying to use my pki by creating a trustpoint on this supplicant and the trying to define "pki-trustpoint <tp-name>" in my dot1x credentials.

I'd expect to see something at the ACS related to my EAP-TLS attempts, but I see nothing.

Is what I am trying to do even possible?

Thanks,

Chris

franklinb · ‎11-10-2019

I'm glad to see I'm not the only one wanting to do NEAT with something other than the default documentation option of MD5

Sorry I have not tried this with ACS but I have done the IBNS1 method with EAP-MD5 to ISE and this works fine. It is not a very good solution however as MD5 not very secure. We also are not able to use Activity Directory as an Identity Source since MD5 is not supported for the AD-connector, leaving ISE local accounts as the only option. This is also problematic given the password must be changed regularly (based on the setting in ISE)

I would much prefer to use EAP-TLS, and am now using IBNS2 which is meant to be simpler for NEAT - an interface template result instead of the av pair and does not involve any macros.

EAP-TLS for the supplicant requires PKI but this is where I get stuck and am currently working on.