25 February, 2016

Configure Suplicant, Authenticator Cisco ISE Server, Configure Switch as Authenticator



! Note: I use IOS 15.X, to determine if your switch supports this future/commands go and check it on www.cisco.com/go/fn

 - Single-host              - 1 MAC only
- Multi-host               - If there is at last 1 authenticated MAC address switch port is open for everyone.   
- Multi-domain MDA         - 1 MAC address from DATA vlan, 1 MAC addres from VOICE vlan.
- Multi-auth               - Any MAC addres have to authenticate with supplicant
- MAB (MAC Address Bypass) - It is used with endhosts without supplicant like printers, IP Cams etc.. It will works after EAP timeout. 

 ISE IP    : 192.168.1.117 
SWITCH IP : 192.168.1.121

 Configuration of Switch:

 ! Test basic connectivity 
SWITCH(config)# do ping 192.168.1.117
!!!!!
Success rate is 100 percent (5/5)

 ! Test Radius
SWITCH(config)# do test aaa group ISE-group bob Nugget!23 new-code
User successfully authenticated

 ! Use ISE server for dot1x authentication
SWITCH(config)# aaa authentication dot1x default group radius

 ! Use ISE for network authorization
SWITCH(config)# aaa autorization network default group radius

 ! Send accounting records to ISE
SWITCH(config)# aaa accounting dot1x default start-stop group radius

 ! Include endpoint IP in authentication request.
SWITCH(config)# radius-server attribute 8 include-in-access-req

 ! Enable Dot1x
SWITCH(config)# dot1x system-auth-control

 ! Configure workstation endhost port for 802.1X
SWITCH(config)# default int gig 0/7
Interface GigabitEthernet0/7 set to default configuration
SWITCH(config)# interface gig 0/7
SWITCH(config-if)# shutdown
SWITCH(config-if)# switchport mode access
SWITCH(config-if)# spanning-tree portfast 

 ! Configure mode of authentication
SWITCH(config-if)# authentication host-mode multi-auth

 ! Configure OPEN mode for testing (Pass everything iven auth dose not works)
SWITCH(config-if)# authentication open 

 ! Recurring authentication
SWITCH(config-if)# authentication periodic

 ! Let server decise how often reauthenticates users
SWITCH(config-if)# authentication timer reauthenticate server

 ! Set Port Access Entity to act as authenticator
SWITCH(config-if)# dot1x pae authenticator

 ! Set supplicant retry timeout to 10 sec
SWITCH(config-if)# dot1x timeout tx-period 10

! Enable 802.1x control of port
SWITCH(config-if)# authentication port-control auto

! Show 802.1x configuration
SWITCH# show dot1x all
Sysauthcontrol             Enabled
Dot1x Protocol Version           3

 Dot1x Info for GigabitEthernet0/7
-------------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 10

 ! To make some Debug 
SWITCH# debug radius authent

! Configure Windows endhost to support 802.1X
Go to Start -> Run -> Write services.msc -> search "Wired AutoConfig" Configure it as Auto and with Start option

 ! Nota: Wired AutoConfig en Español: Configuracion automatica de redes cableadas o Protocolo de authenticacion extensible

 ! After get Service running we have to configure NIC. 
To configure NIC go to Network connection -> LAN Interface -> Right Click Properties -> Tab Autentication -> You can select Protocol or type of authentication, Windows login credentials or you can configure authentication with other user on Additional Settings menu. 

 To check authentication results 
SWITCH# show authentication sessions inter gig 0/7 | in dot1x|User|MAC|IP|Domain
MAC Address:  ab12.bbbd.5436
IP  Address:  192.168.1.12
  User-Name:  bob 
     Domain:  DATA
dot1x    Auth Success
At
Tags:: , , , , , ,