Solved: NEAT - Configuration

robert.melzer · ‎11-30-2020

Hello Everyone, glad to be apart of the group.

I have the following task to do and do not find a solution:

The task is to authenticate an supplicant switch on an authanticator system against Microsoft NPS or freeradius.

I cheked out this configurations:

authenticator

global:

dot1x supplicant force-multicast

cisp enable

dot1x-system-auth-control

template neat-authz
switchport mode trunk

Interface Configuartion

switchport mode access

authentication host-mode multi-host
authentication port-control auto
authentication violation restrict
dot1x pae authenticator

source template neat-authz

On the supplicant

global

cisp enable

dot1x-system-auth-control

eap profile EP_NEAT

method md5 --> against freeradius

method mschapv2 --> againts Microsoft NPS

dot1x credentials DC_NEAT
username anyone
password 7 xxxxxxxxxxxxxx

!
dot1x supplicant force-multicast

interface --> attached to the authenticator

switchport mode trunk
load-interval 30
dot1x pae supplicant
dot1x credentials DC_NEAT
dot1x supplicant eap profile EP_NEAT
spanning-tree portfast network

On Freeradius and Microsoft NPS I added

Cisco-AVPair = "device-traffic-class=switch"

Additional Information

Version supplicant

WS-C3560CX-8PC-S 15.2(7)E3 C3560CX-UNIVERSALK9-M

Version authenticator

C1109-4PLTE2PWE

securityk9

I enabled debug ciscp and getting on the authenticator side ERROR

The Interface on the authenticator is up and on the supplicabt is up/down

Does anybody have a hint for me?

Best Ragards and stay safe and healthy

Robert

robert.melzer · ‎12-03-2020

It works great

The issue was to sue one switch with lanbase and the other with ipbase.

Now I used both switches with ipbase and it works fine.

Thanks on Karsten for the explanation and links ti the documents.

Stay safe and healthy

Regards

Robert

View solution in original post

Karsten Iwen · ‎11-30-2020

There is a quite good document on NEAT. It is based on Cisco ISE, but the switch-part is also covered:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--100650304

And the general NEAT-documentation:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-ieee-neat.pdf

Be aware that this feature is not always behaving as expected on all IOS releases ...

robert.melzer · ‎11-30-2020

Dear Karsten,

thanks for your reply.

1st I have checked out the radius configuration on localhost:

Sent Access-Request Id 20 from 0.0.0.0:32805 to 127.0.0.1:1812 length 98
User-Name = "neat"
Cleartext-Password = "xxxxxxx"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
EAP-Code = Response
EAP-Type-MD5-Challenge = 0x10c017b71bf122e82fef52bb7fe4217a6b
EAP-Id = 253
State = 0x0dcdb6930d30b2cf091d329842143dc0
EAP-Message = 0x02fd00160410c017b71bf122e82fef52bb7fe4217a6b
Received Access-Accept Id 20 from 127.0.0.1:1812 to 0.0.0.0:32805 length 97
Framed-Protocol = PPP
Service-Type = Framed-User
Cisco-AVPair = "device-traffic-class=switch"
EAP-Message = 0x03fd0004
Message-Authenticator = 0x05b61470799f2ba557f4fe2d94d8d696
User-Name = "neat"
EAP-Id = 253
EAP-Code = Success

This is the configuration of the supplicant:

aaa group server radius BGSNT
server-private 192.168.12.23 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxx
ip radius source-interface Vlan13

aaa authentication dot1x default group BGSNT

aaa authorization network default group BGSNT

eap profile EP_NEAT
method md5

epm logging

dot1x credentials DC_NEAT
username neat
password 7 xxxxxxxxxx
anonymous-id neat
!
dot1x supplicant force-multicast
dot1x critical eapol

interface GigabitEthernet0/4
switchport trunk native vlan 994
switchport mode trunk
dot1x pae supplicant
dot1x credentials DC_NEAT
dot1x supplicant eap profile EP_NEAT
spanning-tree portfast edge

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only

Configuration of the Authenticator

aaa group server radius BGSNT
server-private 192.168.12.23 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxx
ip radius source-interface Vlan13

aaa authentication dot1x default group BGSNT
aaa authorization network default group BGSNT

aaa server radius dynamic-author
client 192.168.12.23 server-key 7 xxxxxxxxxxxxxxxx

epm logging

dot1x system-auth-control
dot1x supplicant force-multicast
dot1x critical eapol

template neat-authz
switchport trunk native vlan 994
switchport mode trunk

interface GigabitEthernet0/4
switchport access vlan 994
switchport mode access
authentication port-control auto
dot1x pae authenticator
source template neat-authz
spanning-tree portfast
spanning-tree bpduguard disable

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only

Informations
Bring UP the Interface on the supplicant switch I can see the debug ciscp messages on the supplicant:
CISP Debug Supplicant
Nov 30 2020 18:32:15: CISP-RXPAK (Gi0/4): Code:RESPONSE ID:0x0 Length:0x0018 Type:HELLO
Nov 30 2020 18:32:15: CISP-EVENT (Gi0/4): Supplicant received event Receive Packet in state Not Running
Nov 30 2020 18:32:15: CISP-EVENT (Gi0/4): Error

Template on the authenticator is doing fine:
Nov 30 2020 17:32:15.370: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface GigabitEthernet0/4
Nov 30 2020 17:32:15: Applying command... 'no switchport access vlan 994' at Gi0/4
Nov 30 2020 17:32:15.401: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no switchport access vlan
Nov 30 2020 17:32:15: Applying command... 'no switchport nonegotiate' at Gi0/4
Nov 30 2020 17:32:15.407: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no switchport nonegotiate
Nov 30 2020 17:32:15: Applying command... 'switchport trunk encapsulation dot1q' at Gi0/4
Nov 30 2020 17:32:15.407: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:switchport trunk encapsulation dot1q
Nov 30 2020 17:32:15: Applying command... 'switchport mode trunk' at Gi0/4
Nov 30 2020 17:32:15.428: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:switchport mode trunk
Nov 30 2020 17:32:15: Applying command... 'switchport trunk native vlan 994' at Gi0/4
Nov 30 2020 17:32:15.438: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:switchport trunk native vlan 994
Nov 30 2020 17:32:15: Applying command... 'spanning-tree portfast trunk' at Gi0/4
Nov 30 2020 17:32:15.443: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:spanning-tree portfast trunk
Nov 30 2020 17:32:15.449: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 00af.1feb.1a04| AuditSessionID 000000000000007208C9DBC0| EVENT APPLY

CISP Debug Authenticator
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Received action Link UpDown
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Authenticator received event Link UP in state Waiting link UP
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Transmitting a CISP Packet
Nov 30 2020 17:32:19: CISP-TXPAK (Gi0/4): Code:RESPONSE ID:0x0 Length:0x0018 Type:HELLO
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Proposing CISP version: 1
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Started 'hello' timer (5s)
Nov 30 2020 17:32:19: CISP-EVENT: Started CISP tick timer
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Authenticator state changed to Idle
Nov 30 2020 17:32:19: CISP-EVENT (Gi0/4): Sync supp_id: 0

The Interface on the supplicant ist still UP/DOWN

Any hint or ideas???

Best Regards

robert.melzer · ‎12-03-2020

It works great

The issue was to sue one switch with lanbase and the other with ipbase.

Now I used both switches with ipbase and it works fine.

Thanks on Karsten for the explanation and links ti the documents.

Stay safe and healthy

Regards

Robert