AAA dot1x Lab Switch Sim

Pre-Radius Server configuration 

Buraqtech is a small cargo company that has an existing network consist of 2 switches, DSW1 and ASW1. The network diagram shows their layer 2 mapping. VLAN 10 is a new VLAN that will be used to provide the cargo personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate via a Radius server before they are given access to the network. The radius server address is 172.189.29.100 and Radius key is ciscoradius.
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.10.0/24 and packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20. And this filtering should be configured as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
Answer and Explanation:

1) Configure authenticate via a Radius server on ASW1
ASW1(config)#aaa new-model
Set the server address and password for radius server:
ASW1(config)#radius-server host 172.189.29.100 key ciscoradius
ASW1(config)#aaa authentication dot1x default group radius
Enable 802.1x on the switch:
ASW1(config)#dot1x system-auth-control
Configure Fa0/1 to use 802.1x:
ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.
ASW1(config-if)#end
ASW1#write
Packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
Define an access-list:
DSW1(config)#ip access-list standard 10 
DSW1(config-std-nacl)#permit 172.120.10.0 0.0.0.255
DSW1(config-std-nacl)#exit

Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYMAPIP 10 
DSW1(config-access-map)#match ip address 10 
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
Packets from devices in any other address range should be dropped on VLAN 20.
DSW1(config)#vlan access-map MYMAPIP 20
DSW1(config-access-map)#action drop 
DSW1(config-access-map)#exit
Apply a vlan-map into a vlan close to the server farm as possible:
DSW1(config)#vlan filter MYMAPIP vlan-list 20 

24 comments:

  1. when I took the test this lab was bugged. it wouldn't let me remove the access-map that I had put in there wrongly.

    ReplyDelete
  2. Do you actually need the action drop addition to the access-map? My understanding is that VACLs have an implicit deny (drop) that will drop anything which is not expressly forwarded.

    ReplyDelete
    Replies
    1. Technically, you don't need to set an action drop, because it will implicitly deny anything that isn't permitted. However, it is good practice to just add an additional action of drop. Also, the exam may deduct points off of your simulation if you don't have that extra step, so it's best to be on the safe side. :-)

      Delete
  3. Great article man but i dont think VACL works in gns3, i've tried the 3600/3700 series with NM-16ESW module but only radius server cmd is there.

    ReplyDelete
    Replies
    1. VACL works only in IOU VM as well as private VLANs but you must memorize the commands:
      ASW1(config)#radius-server host 172.189.29.100 key ciscoradius
      ASW1(config-if)#dot1x port-control auto
      These 2 commands that you need to memorize works but you need to type them word for word.

      Delete
  4. where you have downloaded

    ReplyDelete
  5. On the 300-115 exam, it seems that something more is needed to get this solutions correct. I know this lab cold, yet I have taken the exam twice, and failed due to this question. Has anyone else had this problem?

    Thanks.

    ReplyDelete
    Replies
    1. is vlan 20 added to the trunk port? I'm taking the test Thursday, and I would assume they may be deducting points for not having the vlans defined and active both upstream and downstream.

      configure radius access
      vlan 20 - 172.120.10.0/24
      access-list dropping non 172.120.10.0/24
      radius server 172.189.29.100 key ciscoradius


      aws1 -

      conf t
      aaa new model
      radius-server host 172.189.29.100 key ciscoradius
      !
      vlan 20
      name dot1x_test
      !
      dot1x system-auth-control
      !
      int vlan 20
      description new dot1x_users
      ip address 172.120.10.1 255.255.255.0
      no shut
      !
      int range f0/1-3
      switchport mode access
      switchport access vlan 20
      spanning-tree portfast
      spanning-tree bdpuguard enable
      do1x port-control auto
      !
      int range f0/4-9
      spanning-tree portfast
      shut
      int range f0/11-24
      spanning-tree portfast
      shut
      !
      int f/10
      switchport trunk encapsulation dot1q
      switchport mode trunk
      switchport trunk allowed vlan 20
      !

      dws1 -
      conf t
      !
      vlan 20
      name dot1x_test
      !
      int g1/0/1
      switchport trunk encapsulation dot1q
      switchport mode trunk
      switchport trunk allowed vlan 20
      !
      ip access-list standard 10
      permit 172.120.10.0 0.0.0.255
      exit
      !
      vlan access-map MYMAPIP 10
      match ip address 10
      action forward
      !
      vlan access-map MYMAPIP 20
      action drop
      !
      vlan filter MYMAPIP vlan-list 20

      ==============
      hopefully this is correct. I'll take it to my lab tonight to verify. I just pieced that together in notepad while testing

      Delete
    2. Hello Guys,

      Is this the right configuration for AAAx?
      Step1: Console to ASW1 from PC console 1
      Configure authenticate via a Radius server on ASW1
      ASW1(config)#aaa new-model
      ASW1(config)#radius-server host [IP radius server] key rad123
      ASW1(config)#aaa authentication dot1x default group radius
      Enable 802.1x on the switch:
      ASW1(config)#dot1x system-auth-control
      Configure Fa0/1 to use 802.1x:
      ASW1(config)#inter fastEthernet 0/1
      ASW1(config-if)#switchport mode access (rewrited this command even that existed in config)
      ASW1(config-if)#switchport access vlan 20 (rewrited this command even that existed in config)
      ASW1(config-if)#dot1x port-control auto
      ASW1(config-if)#no shutdown (just in case to be sure)
      ASW1(config-if)#exit
      ASW1#copy run start
      Step2: Console to DSW1 from PC console 2
      Packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
      Define an access list:
      DSW1(config)#access-list 11 permit 172.120.40.0 0.0.0.255
      DSW1(config-ext-nacl)#exit
      DSW1(config)#vlan acess-map MYMAP 10
      DSW1(config-access-map)#match ip address 11
      DSW1(config-access-map)#action forward
      DSW1(config-access-map)#exit
      DSW1(config)#vlan access-map MYMAP 20
      DSW1(config-access-map)#action drop
      DSW1(config-access-map)#exit
      DSW1(config)#vlan filter MYMAP vlan-list 20
      DSW1#copy run start

      Delete
    3. Why you configured access MAP on vlan 10 , and ACL on vlan 11 ?

      Delete
    4. Hello Matthew,
      I have EXACTLY the same issue with you. All the questions were right except this lab. Could you please tell me what you did to overcome this issue. What is the solution of this Lab??
      Thanks in advance.

      Delete
  6. is it possible that the command "dot1x port-control auto" under the fastEthernet interface is no longer valid? maybe it should be "authentication port-control auto" and "dot1x pae authenticator"?

    ReplyDelete
    Replies
    1. Authentication Initiation and Message Exchange

      The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x pae authenticator and authentication port-control auto interface configuration commands (dot1x port-control auto command in Cisco IOS Release 12.2(33)SXH and earlier releases), the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). When the client receives the frame, it responds with an EAP-response/identity frame.

      If the client does not receive an EAP-request/identity frame from the switch during bootup, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity.

      Delete
  7. "int vlan 20
    description new dot1x_users
    ip address 172.120.10.1 255.255.255.0
    no shut"

    The requirement clearly states "Corporate polices do not allow layer 3 functionality to be enabled on the switches." So, no layer 3 means no IPs for VLANs.

    ReplyDelete
  8. I've tried this on a newer 4948 and 3750 and I can enter the command but then it adds the latter commands to the config after the fact. If you can't enter it at all then you might want to make sure that the switchport is in access mode.

    ReplyDelete
  9. when using the command 'dot1x port-control auto' I have to use "ip routing" on the port for the dot1x command to be available. once I enter the 'dot1x port-control auto' and look at the running config I see: interface FastEthernet1/0/23
    no switchport
    no ip address
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect

    is there anything else to the commands for this lab? is this expected but not mentioned in the turorial?

    ReplyDelete
  10. vlan access-map commands are not working on gns3. is it normal or am i missing something ?Please guide.

    ReplyDelete
  11. vlan access-map is not supported by emulator(packet tracer,gns,etc...) as it is a hardware "feature" on cisco devices. youll need atleast 1 working cisco 3750 to try these commands. BUT i think maybe Cisco IOU supports this as Cisco IOU is usually used on CCIE tests and i think it should support it, also i saw GNS3 have support for implementig l2/l3 IOU IOS...

    ReplyDelete
  12. Cisco Nexus Titanium (Nexus Titanium-VM-51.2) supports VACLs =)

    ReplyDelete
  13. I tested dot1x with a 2940 (12.1.22ea14) and a 2960 (15.0.2se10a). These are my notes:

    Using a single machine with two network interfaces as both radius server and dot1x client works here....


    freeradius 3.x server setup:
    ---------------------------------------------------------------
    eth1: flags=4163 mtu 1500
    inet 10.10.20.1 netmask 255.255.255.0 broadcast 10.10.20.255

    /etc/raddb/clients.conf:
    client cisco {
    ipaddr = 10.10.20.0/24
    secret = radiuskey
    }

    /etc/raddb/users:
    radius Cleartext-Password := "Cisco123"
    mydot1xuser Cleartext-Password := "mydot1xpw"

    # radiusd -X
    --------------------------------------------------------------


    dot1x client setup:
    ------------------------------------------------------------
    eth0: flags=4163 mtu 1500
    inet 10.10.10.99 netmask 255.255.255.0 broadcast 10.10.10.255

    /etc/wpa_supplicant/wpa_supplicant.conf:
    ctrl_interface=/var/run/wpa_supplicant
    eapol_version=2
    ap_scan=0
    fast_reauth=1

    network={
    key_mgmt=IEEE8021X
    eap=TTLS MD5
    identity="mydot1xuser"
    anonymous_identity="mydot1xuser"
    password="mydot1xpw"
    phase1="auth=MD5"
    phase2="auth=PAP password=mydot1xpw"
    eapol_flags=0
    }

    # wpa_supplicant -i eth0 -Dwired -c /etc/wpa_supplicant/wpa_supplicant.conf -d
    --------------------------------------------------------------


    c2960 switch with 15.0.2:
    ------------------------
    hostname DSW1
    sdm prefer lanbase-routing
    ! reload after this. you may now have multiple active SVIs.
    !
    vlan 10
    name clients
    vlan 20
    name servers
    !
    no ip domain-lookup
    aaa new-model
    dot1x system-auth-control
    !
    !
    radius server RADIUSSRV1
    address ipv4 10.10.20.1 auth-port 1812 acct-port 1813
    key radiuskey
    !
    dot1x system-auth-control
    aaa authentication dot1x default group radius
    !
    interface GigabitEthernet0/1
    description TRUNK to ASW
    switchport mode trunk
    !
    interface GigabitEthernet0/8
    description TO RADIUS
    switchport access vlan 20
    switchport mode access
    !
    interface Vlan10
    description client gateway, ping this from client when auth ok
    ip address 10.10.10.1 255.255.255.0
    !
    interface Vlan20
    description mgmtinterface, also for radius traffic
    ip address 10.10.20.10 255.255.255.0
    !
    ip default-gateway 10.10.20.1
    ip radius source-interface Vlan20
    !
    interface GigabitEthernet0/2
    description DOT1xport to client
    switchport access vlan 10
    switchport mode access
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate 60
    dot1x pae authenticator
    spanning-tree portfast
    ----------------------------


    c2940 with 12.1.22
    ----------------------
    hostname ASW1
    vlan 10
    name clients
    vlan 20
    name servers
    aaa new-model
    radius-server host 10.10.20.1 auth-port 1812 acct-port 1813 key radiuskey
    aaa authentication dot1x default group radius
    dot1x system-auth-control
    !
    interface FastEthernet0/1
    description DOT1xport to client
    switchport access vlan 10
    switchport mode access
    dot1x port-control auto
    dot1x timeout reauth-period 60
    dot1x reauthentication
    spanning-tree portfast
    !
    interface FastEthernet0/8
    ! yeah, this hangs off DSW above. If all you have is a 2940/2950, adapt as needed.
    description TRUNK to DSW
    switchport mode trunk
    !
    interface Vlan20
    description mgmtinterface, also for radius traffic
    ip address 10.10.20.20 255.255.255.0
    no ip route-cache
    ------------------------

    ReplyDelete

UA-23728446-1