Scenario


You starts your new carrier as a network professional in company which is responsible for Prepare, Plan, Design and Implementation phase of AAA user authentication and 8021.x port-based authentication in customer network.

Because you are new in team you need to prove your boss that you has sufficient knowledge to participate in Implementation phase of this project. For this purpose a testing network is created in a company LAB for you and you are telling configure all the steps listed in tasklist.

Note: Radius_LiSA server is already configured for user and port-based authentication. Only network settings for connecting Radius_LiSA to Access switch are required to configure. 8021x client is installed on PC1 and PC2.

Topology:

Tasks:

1/ PC1 and PC2 switch ports are placed in access VLAN 2 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.

2/ Switch ports connecting Radius server and Management PC are configured for Management VLAN 5 and should be placed in forwarding state immediately when the ports become physically active. DTP must be disabled on both switchports.

3/ VLAN2 interface on Access switch is configured with last usable IP address from 192.168.2.0/26 subnet.

4/ PC1 and PC2 should have automatically assigned IP address from 192.168.2.0/26 subnet.

5/ The first usable IP address address from subnet 192.168.5.0/28 is assigned to Radius-LiSA vlan 5 interface. The last usable IP address from 192.168.5.0/28 is assigned to VLAN5 switch interface. Default route must be configured on Linux Radius_LiSA server to reach subnets outside of VLAN 5 Radius_Lisa interface. Username/password for Radius_LiSA is root/password.

6/ The Management PC should be configured with statically assigned IP address 192.168.5.2/28. Username/password is root/root.

7/ PCs in Access VLAN can reach each other and they can reach PCs in other VLANs except PCs in Management VLAN.

8/ Switch must be configured for remote access and use secure vty session. Remote switch administration must be allowed only from Management PC. Local username/password is backup/backup. Password to privileged exec mode is backup.

9/ Users on PC1 and PC2 connecting to Access switch’s ports must be authenticated before they are given access to the network.Management PC and Radius_LiSa server are allowed to access to the network without authentication.

The Radius server key is cisco123 and it listen on port 1812 for authentication sessions.

10/ Login to the switch console or via vty should be authenticated external to switch. Username/password for Level 1 access is admin/cisco. Password to privileged exec mode is cisco.

If Radius server is not reachable local user credentials should be used for backup access to Access switch. Similary local password to privileged exec mode may only be used in the case of Radius server inaccessibility.

Solution:

1/ Access switch configuration
Router(config)#hostname Access
Access(config)#vlan 2
Access(config-vlan)#name Access
Access(config-vlan)#vlan 5
Access(config-vlan)#name Management
Access(config-vlan)#exit
Access(config)#interface range fastEthernet 1/1- 2
Access(config-if-range)#switchport mode accees
Access(config-if-range)#switchport access vlan 2
Access(config-if-range)#spanning-tree portfast
Access(config)#do write
2/ Access switch configuration
Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#switchport mode access
Access(config-if-range)#switchport access vlan 5
Access(config-if-range)#spanning-tree portfast
Access(config-if-range)#do write
3/ Access switch configuration
Access(config)#interface vlan 2
Access(config-if)#ip address 192.168.2.62 255.255.255.192
Access(config-if)#no shutdown
4/ Access switch configuration
Access(config)#ip dhcp excluded-address 192.168.2.62
Access(config)#ip dhcp pool Lab
Access(dhcp-config)#network 192.168.2.0 /26
Access(dhcp-config)#default-router 192.168.2.62
Access(dhcp-config)#exit
5/ Radius_LiSA and Access switch configuration

Radius_LiSA:
[root@lisa ~]# swcli
lisa#configure terminal
lisa(config)#hostname Radius_LiSA
Radius_LiSA(config)#vlan 5
Radius_LiSA(config-vlan)#name Management
Radius_LiSA(config-vlan)#exit
Radius_LiSA(config)#interface ethernet 0
Radius_LiSA(config-if)#switchport mode access
Radius_LiSA(config-if)#switchport access vlan 5
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#interface vlan 5
Radius_LiSA(config-if)#ip address 192.168.5.1 255.255.255.240
Radius_LiSA(config-if)#no shutdown
Radius_LiSA(config-if)#exit
Radius_LiSA(config)#exit
Radius_LiSA#write memory
Radius_LiSA#exit
[root@lisa ~]# route add default gw 192.168.5.14
Access switch:
Access(config)#interface vlan 5
Access(config-if)#ip address 192.168.5.14 255.255.255.240
Access(config-if)#no shutdown
Access(config-if)#do write
6/ Management PC (Microcore Linux) configuration
tc@box:~$ su
Password:
root@box:~# echo “ifconfig eth0 192.168.5.2 netmask 255.255.255.240″ >> /opt/bootlocal.sh
root@box:~# echo “route add default gw 192.168.5.14″ >> /opt/bootlocal.sh
root@box:~# /opt/bootlocal.sh
root@box:~# /usr/bin/filetool.sh backup
7/ Access switch configuration
Access(config)#ip access-list extended 100
Access(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.63 192.168.5.0 0.0.0.15
ccess(config-ext-nacl)#permit ip any any
Access(config-ext-nacl)#exit
Access(config)#interface vlan 2
Access(config-if)#ip access-group 100 in
Access(config-if)#exit
8/ Access switch configuration
Access(config)#enable secret backup
Access(config)#username backup secret backup
Access(config)#ip ssh version 2
Access(config)#ip domain-name company.lab
Access(config)#line vty 0 15
Access(config-line)#transport input ssh
Access(config-line)#login local
Access(config-line)#exit
Access(config)#crypto key generate rsa
Access(config)#ip access-list standard 10
Access(config-std-nacl)#permit host 192.168.5.2
Access(config-std-nacl)#exit
ccess(config)#line vty 0 15
Access(config-line)#access-class 10 in
Access(config-line)#exit
Access(config)#do write
9/ Access switch configuration
Access(config)#aaa new-model
Access(config)#aaa authentication dot1x default group radius
Access(config)#radius-server host 192.168.5.1 auth-port 1812 key cisco123
Access(config)#dot1x system-auth-control
Access(config)#interface range fastEthernet 1/1 -2
Access(config-if-range)#dot1x port-control auto
Access(config-if-range)#exit
Access(config)#interface range FastEthernet 1/0 , FastEthernet 1/10
Access(config-if-range)#dot1x port-control force-authorized
Access(config-if-range)#exit
Access(config)#do write
10/ Access switch configuration
Access(config)#aaa authentication login default group radius local
Access(config)#line console 0
Access(config-line)#login authentication default
Access(config-line)#exit
Access(config)#line vty 0 15
Access(config-line)#login authentication default
Access(config-line)#exit
Access(config)#aaa authentication enable default group radius enable
Access(config)#do write
Topology solved:

802.1x verification:

Notice is a captured traffic between Radius_LiSA and Access switch after Microcore boot. You can see a radius protocol exchange between switch (sends Access-request to Radius ) and Radius_LiSA server (reply with Access-accept back to switch).

captured-traffic-Radius-Access_switch - 4shared.com - online file sharing and storage - download

Output from debug dot1x events enabled on Access switch.

debug_switch - 4shared.com - online file sharing and storage - download

Snapshots of captured Wireshark traffic and PC2 console.

pictures-Microcore_Wireshark.pdf - 4shared.com - document sharing - download



Used software and devices:

  • GNS3 0.7.3
  • router 3725 with NM-16SW module (EtherSwitch in GNS3 0.7.3), IOS c3725-adventerprisek9-mz.124-15.T14.bin
  • Linux Microcore 2.11.5 with WPA supplicant
  • Qemu image CentOS 5.4 with LiSA /Linux Multilayer Switch/


The installation and configuration of WPA_supplicant on Microcore Linux and FreeRadius on LiSA Qemu image is explained in this tutorial.

CCNP SWITCH and GNS3 – part 2.2 FreeRadius and WPA supplicant installation and configuration

Also Radius_LiSA Qemu image and Microcore image ready for download there.




موضوعات مشابه: