Cisco 9200 configure NAC using certificates

leo.bernardi · ‎01-31-2024

Hello All,

We are running a stack of 9200 switches with version 17.3. I have been tasked with implementing NAC on our switches using certificates that are hosted on our internal CA (Windows 2019 server) (also our DC/Radius server).

Everything I have been reading keeps pointing to Cisco's ISE solution. I know you don't need the ISE if you do MAC based NAC configuration. But I cant find any documentation on how to configure the switch to talk to the CA and not Windows AD.

The workstations/laptops allowed to connect to the network will have a certificate (generated by the CA) placed on them. We don't need any additional policies placed on the devices as the VLANs are controlled by the configuration of the switch ports and access to resources by the user's sign in.

Any documentation/suggestion would be extremely helpful.

TIA.

Leo

MHM Cisco World · ‎01-31-2024

The wire client use CA to auth itself to whom? You need server and both exchange cert. For auth.

This need eap and eap need ise.

MHM

leo.bernardi · ‎01-31-2024

Hi MHM,

Thank you for your response.

I am not sure I understand the question. The wire client would have a cert that was generated by the onsite CA and would authenticate against it. So the CA (which is a Microsoft CA running on Windows 2019) has everything. I believe Windows NPS provides the EAP for the RADIUS server (also running on the Windows 2019 server).

client -> 9200 port -> Windows 2019 server (CA/AD/RADIUS/NPS)

This configuration is being used for our wireless network.

Or am I missing something.

Thanks.

Leo

pieterh · ‎02-01-2024

you do not need Cisco ISE, you do need dot1x authentication configured on the switchport

in your NPS you create connection policies + profiles to use either certificates , or username/password or MAC address
the client communicates with the switch
the switch communicates with the NPS
the NPS communicates with AD or CA as required by the policies

if you already use NMPS for MAB, then you have a good start to extend this for certificates
-> create the necessary policy/profile
- enable dot1x authentication on your switchporst besides MAB
- configure your client for network authentication using dot1x and certificates (not user account, not computer account)

leo.bernardi · ‎02-01-2024

Hi Pierterh,

Thank you for the response. I will look at the NPS configuration.

I have found the Cisco 802.1X port authentication guide. I believe that will provide me the MAB configuration.

I will keep this discussion posted.

Leo

leo.bernardi · ‎02-13-2024

Hi Pierterh,

I have created my entry for the Windows RADIUS server following this blog. https://blog.naglis.no/?p=3816

I have configured the switch to communicate with the RADIUS server. The problem I am having is I don't see the requests moving from the switch to the RADIUS server. I can see ping requests are successful. All I receive is error:

%DOT1X-5-FAIL: Switch 3 R0/0: sessmgrd: Authorization failed for client (xxxx.xxxx.xxxx) with reason (No Response from Client) on Interface Gi3/X/X AuditSessionId XXXXXXXXXXX

The port configuration has:

interface GigabitEthernet3/X/XX
description YYYYYYYY
switchport access vlan CCC
switchport mode access
switchport voice vlan BB
authentication port-control auto
trust device cisco-phone
dot1x pae authenticator
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
!

I am not sure what I am missing.

Thanks for the assistance.

Leo

pieterh · ‎02-13-2024

I don't believe the switchport config is the problem,
you may consider to add "authentication host-mode multi-domain" to allow both IP-phone and PC on the same port

but
"No Response from Client" indicates Dot1x is not active on the client's network adapter!
802.1X authentication issues troubleshooting - Windows Client | Microsoft Learn
Configure 802.1x wired network settings for macOS and Windows devices in Microsoft Intune | Microsoft Learn
Enabling dot1x using GPO - Microsoft Q&A