Lately I have been playing around with
FreeRADIUS and thought it may be interesting to play around with dot1x on switch ports.
The topology I'm using today uses a AAA server, two routers and a switch:
(
AAA)
eth0---Fa1/0(
R1)
Fa0/0--Trunk--Fa1/0/1(
SW1)
Fa1/0/14---Fa1/0(
R2)
The link between R1 and SW1 is using a trunk to support multiple VLANs. VLAN 11 is used for AAA/SW1 connectivity and VLAN 12 for R1/R2 connectivity.
R2 is acting as our end device and is a DHCP client
Thanks to bridging on R1, AAA (192.168.100.253/24), R1 (BVI1 = 192.168.100.1/24)and SW1(VLAN11 = 192.168.100.11/24) are all on the same subnet
Here are our configurations:
R1
hostname R1
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
ip dhcp excluded-address 10.1.12.1
ip dhcp excluded-address 10.1.12.3 10.1.12.254
ip dhcp pool R2
network 10.1.12.0 255.255.255.0
!
interface FastEthernet0/0
description SW1 Fa1/0/1
no ip address
!
interface FastEthernet0/0.11
description For SW1 to Communicate with AAA
encapsulation dot1Q 11
bridge-group 1
!
interface FastEthernet0/0.12
description To Communicate with R1
encapsulation dot1Q 12
ip address 10.1.12.1 255.255.255.0
!
interface FastEthernet1/0
description To AAA
no ip address
bridge-group 1
!
SW1
hostname SW1
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
vlan 11-12,99
ip dhcp excluded-address 99.99.99.99
ip dhcp pool GuestVLAN
network 99.99.99.0 255.255.255.0
!
!
interface FastEthernet1/0/1
description R1 Fa0/0
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/14
description R2 Fa1/0
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x guest-vlan 99
spanning-tree portfast
shutdown
!
interface Vlan11
ip address 192.168.100.11 255.255.255.0
!
interface Vlan99
ip address 99.99.99.99 255.255.255.0
!
radius-server host 192.168.100.253 auth-port 1812 acct-port 1813 key cisco
R2
hostname R2
interface FastEthernet1/0
description SW1 Fa1/0/14
ip address dhcp
!
The freeradius configuration is stock standard except for the two files below:
radius-server:~# cat /etc/freeradius/clients.conf
client 192.168.100.0/24 {
secret=cisco
shortname=router
}
radius-server:~# cat /etc/freeradius/users
R2 Cleartext-Password := "R2"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 12
Initially R2 has no configuration associated with dot1x on it. SW1 is set to communicate with the free-radius server to verify the end device connecting on Fa1/0/14.
- If the end device does not appear to be a dot1x client (supplicant) then after several attempts of seeing if the end device really doesn't support dot1x, the switch will place the user into the guest vlan
- If the end device supports dot1x and authentication fails, the user will not be allowed on the network.
- If the end device supports dot1x and authentication succeeds, the AAA will pass back what VLAN the user should be associated with and the switch will put the user into it
The current configuration is set up for #1
Let's start things going
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fa1/0/14
SW1(config-if)#no shut
*Mar 1 09:04:43.416: %LINK-3-UPDOWN: Interface FastEthernet1/0/14, changed state to up
SW1(config-if)#do show dot1x int fa1/0/14 detail
Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Guest-Vlan = 99
Dot1x Authenticator Client List Empty
Domain = DATA
Port Status = UNAUTHORIZED
Right now SW1 Fa1/0/14 is sending out EAPOL frames and waiting for a response from a supplicant. After about 90 seconds, the switch will have decided that there isn't a supplicant on the end and to push the end device into the Guest-VLAN
*Mar 1 09:06:16.949: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/14, changed state to up
R2#
*Mar 1 02:32:41.847: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet1/0 assigned DHCP address 99.99.99.3, mask 255.255.255.0, hostname R2
We can see that R2 was assigned an IP by SW1 from the GuestVLAN DHCP pool we defined earlier, and we can see that Port Fa1/0/14 was put into VLAN 99 because that is the guest vlan that we configured earlier.
SW1(config-if)#do sh interfaces fa1/0/14 switchport | i ^Name|^Operational Mode|^Access Mode
Name: Fa1/0/14
Operational Mode: static access
Access Mode VLAN: 99 (VLAN0099)
SW1(config-if)#do sh dot1x int fa1/0/14 details
Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Guest-Vlan = 99
Dot1x Authenticator Client List Empty
Domain = DATA
Port Status = AUTHORIZED
Authorized By = Guest-Vlan
Operational HostMode = MULTI_HOST
Vlan Policy = 99
For setup #2 lets turn R2 into a 802.1x supplicant - firstly we shall configure our credentials:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#dot1x credentials R2
R2(config-dot1x-creden)#username R2
R2(config-dot1x-creden)#password r3
now we change our function to act as a dot1x supplicant and attach the credentials for the interface
R2(config-dot1x-creden)#int fa1/0
R2(config-if)#dot1x pae supplicant
R2(config-if)#dot1x credentials R2
R2(config-if)#end
Hmm, as soon as we do this, SW1 pulls down the line protocol and tried to authenticate our supplicant
SW1#*Mar 1 09:20:03.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/14, changed state to down
SW1#show dot1x interface fa1/0/14 de
Dot1x Info for FastEthernet1/0/14
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Guest-Vlan = 99
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = c201.08b9.0010
Auth SM State = HELD
Auth BEND SM State = IDLE
Port Status = UNAUTHORIZED
Authentication Method = Dot1x
let's see what is happening by debugging dot1x events on SW1
SW1#deb dot1x events
Dot1x events debugging is on
*Mar 1 09:31:13.871: dot1x-ev:Sending create new context event to EAP for c201.08b9.0010
*Mar 1 09:31:13.871: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar 1 09:31:13.871: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar 1 09:31:13.871: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14
*Mar 1 09:31:13.879: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar 1 09:31:13.879: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 1 09:31:13.879: EAPOL pak dump rx
*Mar 1 09:31:13.879: EAPOL Version: 0x2 type: 0x0 length: 0x0007
*Mar 1 09:31:13.879: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/14 CODE= 2,TYPE= 1,LEN= 7
*Mar 1 09:31:13.879: dot1x-ev:Received pkt saddr =c201.08b9.0010 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0200.0007
*Mar 1 09:31:13.879: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa1/0/14 is TRUE
*Mar 1 09:31:13.879: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from c201.08b9.0010
*Mar 1 09:31:13.930: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar 1 09:31:13.930: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar 1 09:31:13.930: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14
*Mar 1 09:31:13.938: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar 1 09:31:13.938: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
*Mar 1 09:31:13.938: EAPOL pak dump rx
*Mar 1 09:31:13.938: EAPOL Version: 0x2 type: 0x0 length: 0x0016
*Mar 1 09:31:13.938: dot1x-ev:
dot1x_auth_queue_event: Int Fa1/0/14 CODE= 2,TYPE= 4,LEN= 22
*Mar 1 09:31:13.938: dot1x-ev:Received pkt saddr =c201.08b9.0010 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0200.0016
*Mar 1 09:31:13.938: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa1/0/14 is TRUE
*Mar 1 09:31:13.938: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from c201.08b9.0010
*Mar 1 09:31:14.962: dot1x-ev:Authorization data for client c201.08b9.0010 has been reset on FastEthernet1/0/14
*Mar 1 09:31:14.962: dot1x-ev:Received an EAP Fail on FastEthernet1/0/14 for mac c201.08b9.0010
*Mar 1 09:31:14.962: dot1x-ev:dot1x_switch_authz_fail: Called for FastEthernet1/0/14 and c201.08b9.0010
*Mar 1 09:31:14.962: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet1/0/14
*Mar 1 09:31:14.962: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa1/0/14
*Mar 1 09:31:14.962: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC c201.08b9.0010 on interface FastEthernet1/0/14
*Mar 1 09:31:14.962: dot1x-ev:dot1x_vlan_assign_authz_fail on interface FastEthernet1/0/14
*Mar 1 09:31:14.962: dot1x-ev:FastEthernet1/0/14:Sending EAPOL packet to group PAE address
*Mar 1 09:31:14.962: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/0/14.
*Mar 1 09:31:14.962: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/0/14
If we look at the highlighted section above we can see that our dot1x authorization has failed - this is quite probably because authentication has not succeeded.
R2#sh run | s ^dot1x
dot1x credentials R2
username R2
password 0 r3
Okay, this is due to our password being incorrect, it's a simple fix, we can see what is required by looking at what was configured in the users file for freeradius and bounce the interface.
Repairing this will give us setup #3
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#dot1x credentials R2
R2(config-dot1x-creden)#password R2
R2(config-dot1x-creden)#int fa1/0
R2(config-if)#shutR2(config-if)#no shut
R2(config-if)#end
R2#
*Mar 1 03:36:29.863: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 03:36:32.299: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet1/0 assigned DHCP address 10.1.12.2, mask 255.255.255.0, hostname R2
An IP address allocated by R1 certainly indicates that things are now working as desired.
SW1#sh interfaces fa1/0/14 switchport | ^Name|^Operational Mode|^Access ModeName: Fa1/0/14
Operational Mode: static access
Access Mode VLAN: 12 (VLAN0012)
SW1#show dot1x int fa1/0/14 det | b Client List
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = c201.08b9.0010
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = 12
We can see that R2 is authorized by our AAA server and the port was pushed into VLAN 12.
R2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms
There are more things that can be done, however should serve as a reasonable introduction into using dot1x.