Configuring User AAA authentication and 802.1X port-based authentication in GNS3
[LEFT][QUOTE][url]http://brezular.wordpress.com/2010/12/21/ccnp-switch-and-gns3-%E2%80%93-part-2-3-lab-configuring-user-aaa-authentication-and-802-1x-port-based-authentication/[/url][/QUOTE]
[B]
Scenario[/B]
You starts your new carrier as a network professional in company which is responsible for Prepare, Plan, Design and Implementation phase of AAA user authentication and 8021.x port-based authentication in customer network.
Because you are new in team you need to prove your boss that you has sufficient knowledge to participate in Implementation phase of this project. For this purpose a testing network is created in a company LAB for you and you are telling configure all the steps listed in tasklist.
[U]Note:[/U] Radius_LiSA server is already configured for user and port-based authentication. Only network settings for connecting Radius_LiSA to Access switch are required to configure. 8021x client is installed on PC1 and PC2.
[B]Topology:[/B]
[B][URL="http://brezular.files.wordpress.com/2010/12/topology-resized.jpeg"][IMG]http://brezular.files.wordpress.com/2010/12/topology-resized.jpeg?w=317&h=289[/IMG][/URL]Tasks[/B]:
[B]1/[/B] PC1 and PC2 switch ports are placed in access VLAN 2 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.
[B]2/[/B] Switch ports connecting Radius server and Management PC are configured for Management VLAN 5 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.
[B]3/[/B] VLAN2 interface on Access switch is configured with last usable IP address from 192.168.2.0/26 subnet.
[B]4/[/B] PC1 and PC2 should have automatically assigned IP address from 192.168.2.0/26 subnet.
[B]5/[/B] The first usable IP address address from subnet 192.168.5.0/28 is assigned to Radius-LiSA vlan 5 interface. The last usable IP address from 192.168.5.0/28 is assigned to VLAN5 switch interface. Default route must be configured on Linux Radius_LiSA server to reach subnets outside of VLAN 5 Radius_Lisa interface. Username/password for Radius_LiSA is [I]root[/I]/[I]password[/I].
[B]6/[/B] The Management PC should be configured with statically assigned IP address 192.168.5.2/28. Username/password is [I]root[/I]/[I]root[/I].
[B]7/[/B] PCs in Access VLAN can reach each other and they can reach PCs in other VLANs except PCs in Management VLAN.
[B]8/[/B] Switch must be configured for remote access and use secure vty session. Remote switch administration must be allowed only from Management PC. Local username/password is [I]backup/backup. [/I]Password to privileged exec mode is [I]backup.[/I]
[B]9/[/B] Users on PC1 and PC2 connecting to Access switch’s ports must be authenticated before they are given access to the network.Management PC and Radius_LiSa server are allowed to access to the network without authentication.
The Radius server key is [I]cisco123[/I] and it listen on port 1812 for authentication sessions.
[B]10/[/B] Login to the switch console or via vty should be authenticated external to switch. Username/password for Level 1 access is[I] admin[/I]/cisco. Password to privileged exec mode is [I]cisco[/I].
If Radius server is not reachable local user credentials should be used for backup access to Access switch. Similary local password to privileged exec mode may only be used in the case of Radius server inaccessibility.
[B]Solution:[/B]
[B]1/ [/B]Access switch configuration[INDENT]Router(config)#hostname Access
Access(config)#vlan 2
Access(config-vlan)#name Access
Access(config-vlan)#vlan 5
Access(config-vlan)#name Management
Access(config-vlan)#exit
Access(config)#interface range fastEthernet 1/1- 2
Access(config-if-range)#switchport mode accees
Access(config-if-range)#switchport access vlan 2
Access(config-if-range)#spanning-tree portfast
Access(config)#do write[/INDENT][B]2/ [/B]Access switch configuration[INDENT]Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#switchport mode access
Access(config-if-range)#switchport access vlan 5
Access(config-if-range)#spanning-tree portfast
Access(config-if-range)#do write[/INDENT][B]3/ [/B]Access switch configuration[INDENT]Access(config)#interface vlan 2
Access(config-if)#ip address 192.168.2.62 255.255.255.192
Access(config-if)#no shutdown[/INDENT][B]4/ [/B]Access switch configuration[INDENT]Access(config)#ip dhcp excluded-address 192.168.2.62
Access(config)#ip dhcp pool Lab
Access(dhcp-config)#network 192.168.2.0 /26
Access(dhcp-config)#default-router 192.168.2.62
Access(dhcp-config)#exit[/INDENT][B]5/ [/B]Radius_LiSA and Access switch configuration
Radius_LiSA:[INDENT][root@lisa ~]# swcli
lisa#configure terminal
lisa(config)#hostname Radius_LiSA
Radius_LiSA(config)#vlan 5
Radius_LiSA(config-vlan)#name Management
Radius_LiSA(config-vlan)#exit
Radius_LiSA(config)#interface ethernet 0
Radius_LiSA(config-if)#switchport mode access
Radius_LiSA(config-if)#switchport access vlan 5
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#interface vlan 5
Radius_LiSA(config-if)#ip address 192.168.5.1 255.255.255.240
Radius_LiSA(config-if)#no shutdown
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#exit
Radius_LiSA#write memory
Radius_LiSA#exit
[root@lisa ~]# route add default gw 192.168.5.14[/INDENT]Access switch:[INDENT]Access(config)#interface vlan 5
Access(config-if)#ip address 192.168.5.14 255.255.255.240
Access(config-if)#no shutdown
Access(config-if)#do write[/INDENT][B]6/[/B] Management PC (Microcore Linux) configuration[INDENT]tc@box:~$ su
Password:
root@box:~# echo “ifconfig eth0 192.168.5.2 netmask 255.255.255.240″ >> /opt/bootlocal.sh
root@box:~# echo “route add default gw 192.168.5.14″ >> /opt/bootlocal.sh
root@box:~# /opt/bootlocal.sh
root@box:~# /usr/bin/filetool.sh backup[/INDENT][B]7/ [/B]Access switch configuration[INDENT]Access(config)#ip access-list extended 100
Access(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.63 192.168.5.0 0.0.0.15
ccess(config-ext-nacl)#permit ip any any
Access(config-ext-nacl)#exit
Access(config)#interface vlan 2
Access(config-if)#ip access-group 100 in
Access(config-if)#exit[/INDENT][B]8/[/B] Access switch configuration[INDENT]Access(config)#enable secret backup
Access(config)#username backup secret backup
Access(config)#ip ssh version 2
Access(config)#ip domain-name company.lab
Access(config)#line vty 0 15
Access(config-line)#transport input ssh
Access(config-line)#login local
Access(config-line)#exit
Access(config)#crypto key generate rsa
Access(config)#ip access-list standard 10
Access(config-std-nacl)#permit host 192.168.5.2
Access(config-std-nacl)#exit
ccess(config)#line vty 0 15
Access(config-line)#access-class 10 in
Access(config-line)#exit
Access(config)#do write[/INDENT][B]9[/B]/ Access switch configuration[INDENT]Access(config)#aaa new-model
Access(config)#aaa authentication dot1x default group radius
Access(config)#radius-server host 192.168.5.1 auth-port 1812 key cisco123
Access(config)#dot1x system-auth-control
Access(config)#interface range fastEthernet 1/1 -2
Access(config-if-range)#dot1x port-control auto
Access(config-if-range)#exit
Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#dot1x port-control force-authorized
Access(config-if-range)#exit
Access(config)#do write[/INDENT][B]10/[/B] Access switch configuration[INDENT]Access(config)#aaa authentication login default group radius local
Access(config)#line console 0
Access(config-line)#login authentication default
Access(config-line)#exit
Access(config)#line vty 0 15
Access(config-line)#login authentication default
Access(config-line)#exit
Access(config)#aaa authentication enable default group radius enable
Access(config)#do write[/INDENT][B]Topology solved:[/B]
[URL="http://brezular.files.wordpress.com/2010/12/topology-solved.jpeg"][IMG]http://brezular.files.wordpress.com/2010/12/topology-solved.jpeg?w=347&h=263[/IMG][/URL][B] 802.1x [/B][B]verification[/B][B]:[/B]
Notice is a captured traffic between Radius_LiSA and Access switch after Microcore boot. You can see a radius protocol exchange between switch (sends Access-request to Radius ) and Radius_LiSA server (reply with Access-accept back to switch).
[URL="http://www.4shared.com/file/U7fE-AZO/captured-traffic-Radius-Access.html"]captured-traffic-Radius-Access_switch - 4shared.com - online file sharing and storage - download[/URL]
Output from [I]debug dot1x events[/I] enabled on Access switch.
[URL="http://www.4shared.com/file/Vh-sTKGe/debug_switch.html"]debug_switch - 4shared.com - online file sharing and storage - download[/URL]
Snapshots of captured Wireshark traffic and PC2 console.
[URL="http://www.4shared.com/document/E07MdKf6/pictures-Microcore_Wireshark.html"]pictures-Microcore_Wireshark.pdf - 4shared.com - document sharing - download[/URL]
[B]Used software and devices:[/B]
[LIST][*]GNS3 0.7.3[*]router 3725 with NM-16SW module (EtherSwitch in GNS3 0.7.3), IOS c3725-adventerprisek9-mz.124-15.T14.bin[*]Linux Microcore 2.11.5 with WPA supplicant[*]Qemu image CentOS 5.4 with LiSA /Linux Multilayer Switch/[/LIST]
The installation and configuration of WPA_supplicant on Microcore Linux and FreeRadius on LiSA Qemu image is explained in this tutorial.
[URL="http://brezular.wordpress.com/2010/12/18/ccnp-switch-and-gns3-%E2%80%93-part-2-2-freeradius-and-wpa-supplicant-installation-and-configuration/"]CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration [/URL]
[COLOR=#000000]Also Radius_LiSA Qemu image and Microcore image ready for download there.[/COLOR][/LEFT]