Scenario :
As a part of a global security project you want to control which machine is granted access to your wire(less) network. This means you need a port-based Network Access Control.
The standard 802.1x is an IEEE implementation of this need. It’s often used in wireless networks to authenticate users WLAN access using smardcards. But you can use it in a wire network as well. The underlaying protocol used 802.1x is EAP.
EAP him self is composed of differents methods : EAP-PEAP, EAP-MD5, …
I will expose an example of how to make a machine authentication against Active Directory in a Cisco wire network. I will use EAP-PEAP as it’s simple and strong enough for my needs.
- First, You need an Active Directory domain with the PKI service running on the DC. Install IAS (MS radius server) service on the DC and issue a new server certificate for it (Friendly name Radius1).
Create a new security group named 802.1x_Auth - Open the IAS mmc ant shutdown the service. Then with a right clic on the local IAS server, choose Register Server in Active Directory and accept, to allow IAS to access AD information.
- Create a new radius client with the relevant information (name, IP), as Client-Vendor choose : Radius Standard
- choose a strong pre-shared key which will be shared with the authenticator (switch)
- choose Remote Access Logging, select all the checkbox to have activity logs
- delete all the useless Remote Access Policies
- create a new one with an explicit name, next
- choose Ethernet radio button, next
- add the 802.1x_Auth group you created before, next
- for the EAP type select : PEAP then click on configure
- choose the certificate you issued for IAS (Radius1)
- select Fast Reconnect
- select EAP-MSCHAP v2 as an Eap Types
- After you finished you need to re-open the policy properties and change the NAS-Port-Type from Ethernet to Async
- Start the IAS service
It’s time to The last steps are to configure your windows XP machines :
- you need to make the machines member of your domain
- open the machine properties on Active Directory Users and Computers and locate the machine you want
- Add it to the 802.1x_Auth group
- in the dial-in tab, choose Grant Access
- be careful : there is a difference between configuring 802.1x on SP2 and SP3 XP machines.
For XP SP3 machines you must to follow this link - On Protecter EAP Proterties you need to select Validate server certificate and also the Trusted Root Certificate Autority that issued the IAS certificate.
At last, you must configure the Cisco switch (for this I use a 3750) like this :
conf t
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host [IAS IP server]
radius-server key [pre-shared key]
The line n° 5 is used to throw an unauthentified machine, or one that doesn’t support 802.1x to this guest Vlan.
For each interface on which you want to activate 802.1x you need to do at least this :
1. conf t
2. int f1/0/13
3. switch acces vlan X
4. dot1x port-control auto
5. dot1x guest-vlan Y
For troubleshooting you can use :
sh dot1x all
And for the IAS logs see EventViewer > System.