Advanced Configurations

Previous page
Table of content
Next page

Advanced configurations are those that are a bit more than just authenticating a user with a password. They can be used in a number of ways that you see during the course of this book. Some of these advanced configurations include some of these features:

  • First of all, they can be used for PPP parameters. This can be used for IP, IPX, or AppleTalk.

  • You can configure Link Control Protocol (LCP) options and so on here.

  • You can also configure TACACS+ for command authorization. Command authorization is best used with new administrators that you want to control certain commands and access levels.

A beneficial advanced configuration capability of ACS is the configuration of 802.1x Switchport Authentication. The IEEE 802.1x standard defines a client-serverbased access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. This might be a connection directly into a switch or via a wireless network. This is done by the authentication server, in this case ACS, authenticating each client connected to a switchport and assigning that port to a VLAN before making available any services offered by the switch or the LAN.

Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

EAP Support

EAP support can be considered an advanced configuration in ACS. The actual EAP support at the switchport can be performed via the RADIUS protocol by authenticating the user to ACS. In this type of environment, you must determine what type of EAP to use, EAP-TLS or EAP-MD5. To enable switchport authentication support in ACS, follow these steps:

Step 1.

Configuration of the RADIUS profile is found in the IETF RADIUS settings of the Interface Control.. Select Interface Configuration.

Step 2.

Select RADIUS (IETF).

Step 3.

The attributes that you need to be enabled (check marked) are [064]Tunnel-Type, [065]Tunnel-Medium-Type, and [081]Tunnel-Private-Group-ID. This now makes these RADIUS attributes visible in ACS Group Setup. You begin by placing a check box next to the newly added attributes, as shown in Figure 7-15.

Figure 7-15. Enabling RADIUS Attributes 64, 65, and 81


Step 4.

Now that the RADIUS options have been enabled, you configure them in the group configuration. Select Group Setup.

Step 5.

Select the 0:Default Group in the Group drop-down list.

Step 6.

Select Edit Settings.

Step 7.

Using the Jump To drop-down, jump to RADIUS (IETF) and scroll until you find attribute 064.

Step 8.

Since only 1 VLAN can be passed in a RADIUS packet, the only tag that is valid is 1. Ensure that the second tag is set to 0, as seen in Figure 7-16, for both attributes 064 and 065. It will be ignored.

Figure 7-16. Configuring 802.1x Support in ACS


Step 9.

In attribute 064, select TAG 1 with a value of VLAN.

Step 10.

In attribute 065, select TAG 1 with a value of 802.

Step 11.

In attribute 081, select TAG 1 with a value that is equal to the VLAN name that you want to assign when a user authenticates. For our example, we have used the VLAN name VLAN_AUTHEN, as seen in Figure 7-16.

Step 12.

When this is completed, select Submit + Restart.

Configuring Switches

The next set of configurations you need to do is configuring the switch to talk to ACS and vice versa. At this point, you should be able to add a new AAA client to ACS. Do this from the Network Configuration section. When you add the switch as an AAA client to ACS, ensure that you select RADIUS (IETF) as your protocol type. This is seen in Figure 7-17.

Figure 7-17. Configuring the Switch as an AAA Client in ACS


On the Cisco switch, you would enter the commands seen in Example 7-2.

Example 7-2. AAA Switch Configuration
 switch#conf t switch(config)#aaa new-model switch(config)#radius-server host 10.1.1.100 switch(config)#radius-server key dot1xlab switch(config)#aaa authentication dot1x default group radius switch(config)#dot1x system-auth-control This enables dot1x on the switch. switch(config)#interface Vlan1 This is the L3 interface for accessing RADIUS   server. switch(config-if)#ip address 10.1.1.101 255.255.255.0 switch(config-if)#interface fa0/1  The RADIUS server is behind this L2 port. switch(config-if)#switchport switch(config-if)#switchport mode access switch(config-if)#switchport access vlan 1 switch(config-if)#interface range fa0/2  12 These are the ports where users exist. switch(config-if)#switchport switch(config-if)#switchport mode access switch(config-if)#dot1x port-control auto This Enables 802.1x on the interface

Example 7-2 is for an IOS-based switch. For set-based switches see the Cisco documentation at http://www.cisco.com/univercd/home/home.htm. The preceding configuration enables VLAN assignments from the ACS server. The new topology with the 802.1x switch is seen in Figure 7-18.

Figure 7-18. New Common Topology with 802.1x Switch


Enable an Administrative Policy

The next configuration enables an administrative policy in ACS for the switch.

Cisco recommends that you separate your users' access to the network from the administrator's access to the network. The simplest way to do so is by using the RADIUS protocol for average users and TACACS+ for administrative users. To enable this on your IOS-based switch, you enter the additional commands seen in Example 7-3.

Example 7-3. Separating Users from Administrators

[View full width]

 switch#conf t switch(config)#tacacs-server host 10.1.1.100 switch(config)#tacacs-server key dot1xlabadmin switch(config)#aaa authentication login default group tacacs+ local switch(config)#aaa authentication login not_auth none switch(config)#aaa authentication enable default group tacacs+ enable switch(config)#ip tacacs source-interface loop0 This allows you to add the switch as  another AAA client in ACS with a different IP address. switch(config)#interface loop0 switch(config-if)#ip address 1.1.1.1 255.255.255.0 switch(config-if)#exit switch(config)#username administrator password acspassword switch(config)#line console 0 switch(config-line)#login authentication not_auth

As long as you have users configured in the ACS and the AAA client has been defined, the administrator gains access to the switch where the average user that authenticates with RADIUS would fail shell authorization. To configure a host to perform EAP authentication, you can use the following URL as a guide for Windows XP: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d11a4.shtml. Note that URL requires a CCO login.



Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
C++ GUI Programming with Qt 3
MySQL Clustering
Introduction to 80x86 Assembly Language and Computer Architecture
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy