Written by Robert Weddle, CCIE DC #50599

Edited and Published by Nathaniel Wessels, ACMA, BADCS, BAEFS, BAFCoES, BAIS, BCEFE, BCFA, BCND, BCNE, BCNP, JNCIA-JUNOS, JNCIS-SEC, MCP, VCP

Dot1x controls allows a network admin to apply role based policies across the network, along with other possible features.  In this document I’m going to show a setup of Mac-auth-bypass setup for an N-series switch along with the server backend configuration to authenticate a phone and place it in a different VLAN.

NOTE: MAC-Auth-Bypass is not necessarily a secure method of authenticating, but is still in use today. Hence, the reason for this example.

Switch config:

 

The N-series can be configured to perform this function, the following will be the switch side configuration.

Global Config:

Authentication enable – This allows the switch to perform authentication
dot1x system-auth-control – enables port based dot1x authentication before traffic can be passed
aaa authentication dot1x default radius – tells the switch to use the configured radius server for dot1x attemtps
aaa authorization network default radius – lets radius servers supply vlan changes based upon dot1x rules
radius-server host auth <SERVERIP> - configures the IP address to send dot1x authentication attempts to.
name “Default-RADIUS-Server”
usage 802.1x
key “<SERVERKEY>” – this key will be a string that has to match on the radius server for this device
exit

We’ll also need to be able to communicate with the server so the switch has to have an IP address in an up state, a default route, and be able to route

ip route 0.0.0.0 0.0.0.0 <DefaultGateway>

int vlan 1
ip address <SwitchIP> <MASK>

Port configuration:

Uplink port:

Int gi1/0/47
Switchport mode trunk
dot1x port-control force-authorized – We have to force the uplink port into an authorized state so it will pass traffic.

Host facing ports:

Int gi1/0/3
switchport mode general – We need to use general mode if we’re going to change vlans.
dot1x port-control mac-based – sets the port to perform mac-based authentication
dot1x reauthentication – allows for dot1x reauths to be attempted
dot1x mac-auth-bypass  - tells the switch to forward the MAC as the username and password
authentication order mab – lets the switch know the order in which to attempt dot1x authentication, in this scenario I’ve hard set it to be mac-auth-bypass only

Now with this setup, stating the backend server is setup properly we will perform authentication utilizing the MAC address of the device for the username and password with an MD5 EAP type.  For my testing I used a phone for replication:

Verification

 

Show dot1x interface <interface>

This shows me that dot1x is enabled globally by the administrative mode, that I’m allowing vlan changes from the Radius server, the port passed authentication based upon the oper mode and the AuthPAE state, and the VLAN that RADIUS returned for us to use, which is 20.  As you can also see we have the Username sent to RADIUS listed here which is the MAC address without any deliminating characters.  There is more we can do with attributes, but this is a basic authentication utilizing MAC address only.

Show authentication statistics <interface>

This output shows us the number of attempts and type made from the interface.  Notice all of ours are MAB attempts or failures due to the mac-auth-bypass we’re utilizing.

 

Server config:

 

For my RADIUS server configuration I am utilizing Windows 2008 R2 that is checking against AD to ensure the user exists and is part of the correct security group.  For a quick primer on how to install NPS on 2008 R2 please utilize the following link:

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

I retrieved this from the Aruba forums as we usually see 802.1x in Wireless, plus I like this guide.

The first thing we have to ensure is that the switch exists as a RADIUS Client with the same key that is configured in its global configuration.

 

Next we have to ensure that our Network policy is setup to perform the authentication check.

Let’s take a deeper look at the policy we’ve setup by right clicking and selecting properties.

First is the Overview, show the policy as enabled, its name, and if it is set to allow or deny access .  The Network connection method should be unspecified for switches.

Then the Conditions Tab, this is stating what conditions have to match in the connection request before access is granted or denied.  As you can see, the condition is that the request matches against the Security group Switches on our domain.

The Constraints tab is where you change what types of requests are allowed and if not met network access will be denied.  For now we only have MD5 and MSCHAPv2 setup.  A Note on MD5 – this is the encryption type used by our switches, but this was removed by Microsoft in Server 2008 and Windows Vista.  To re-enable it you have to perform a registry edit.  This is REQUIRED, otherwise the EAP type will not negotiate and fail, thus the authentication will not occur.  FreeRADIUS still allows MD5 hashes.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/e801bdac-9347-4efb-9d7c-bcf4d64aa927/nps-eapmd5

 

 

 

 

The last tab is Settings, this is where you define attributes to send back to the switch.  In our case we are sending back to move anyone who authenticates to the switch into vlan 20 and to allow them access.

This is accomplished by the Tunnel-Medium-Type 802, Tunnel-Pvt-Group-ID 20, and Tunnel-Type Virtual LANs(VLAN).  If we just wanted to allow access we only need the framed protocol PPP and Service-Type Administrative.

 

So we have our NPS server setup and our switch, but we’re still not passing authentication?  If we check the system event log we see the following

This has to deal with how the passwords are stored by default in AD.  AD stores the passwords in an encrypted method that fails the MD5 challenge.  So to change this we need to allow AD to store the password in a reversible encryption method.

NOTE: This should not be used domain wide. Also, notice the User logon name is all caps. It must be set this way on the server because the N Series switch sends the user/MAC info in all caps.

Alright, I checked the box and attempted to authenticate again, but failed.  This has to deal with again how AD stores passwords.  Even though we checked the box to store the password using reversible encryption, it doesn’t take effect until the password has been changed.  So, to get around this, copy the username (MAC Address), right click on the user and select reset password.  Then paste the address in the password and verify fields.  Now the password is stored properly and can be authenticated against.