One neat feature I've been able to experiment with lately is the port-based 802.1X authentication. Essentially this allows devices directly attached to your switch ports to authenticate with a RADIUS server. In a high security environment, or one which has devices frequently swapped - you may decide it is best to allow network access only to individuals whom are previously configured in RADIUS.
If a switch port has been configured to require 802.1X authentication, the user will be forced to use domain credentials in order to gain network access. There are some caveats surrounding the use of 802.1X authentication, which are that the PC connecting into the switch port must support EAPOL (Encapsulation Authentication Protocol over LAN) in order to successfully communicate with the switch. Upon physical connectivity from switch to PC, the switch port can be set up in three distinct modes. First of all the default is called "Unauthorized". Unauthorized defaults to not let any traffic pass even upon successful authentication with a RADIUS server. Secondly, there is a mode called "Authorized" which passes traffic even if the device was not able to authenticate with RADIUS. Thirdly is the only viable mode called "Auto" which will pass traffic only if the PC/device can authenticate first with a radius server. Each port defaults into the "Authorized" state upon enabling 802.1X globally, which allows all ports full network access. The first thing you should do is configure them all with a range command and configure them for AUTO mode.
In order for a Windows PC to use the EAPOL authentication method, they must have services "Wireless Zero-Config" and "Wired Zero-Config" started and preferably automatically started. These services are absolutely required perform any authentication services from the PC to Switch to Radius server.
The configuration is rather simple - however the overall administration and maintenance may prove too much for the majority of network teams.
1. Enable AAA on the switch
(Config)#aaa new-model
2. Define the RADIUS server
(Config)#radius-server host 10.0.0.1 key MYSECRETKEY
3. Define authentication method as 802.1X
(Config)#aaa authentication dot1x default group radius
4. Enable dot1x on the switch globally
(Config)# dot1x system-auth-control
5. Configure each switch port for 802.1X
(Config)#interface range GigabitEthernet0/1 - 48
(Config-if)#dot1x port-control [force-authorized | force-unauthorized | auto]
Optionally can configure the 802.1X port to allow for multiple hosts on the switch port. This is done on a per interface basis:
(Config-if)#dot1x host-mode multi-host
This is essentially all you need to configure a switch to support 802.1X authentication. You will now have much stronger security on access-layer switch ports in any network environment. It is however vital to point out the reliance on RADIUS server capability. Every time a device plugs into the network access layer, there will be an authentication request made. It will place a drastic load on RADIUS servers, and it is absolutely vital to provide 3-4 RADIUS servers for redundancy and load balancing.
Kyle
No comments:
Post a Comment