Pre-Radius Server configuration
Buraqtech is a small cargo company that has an existing network consist of 2 switches, DSW1 and ASW1. The network diagram shows their layer 2 mapping. VLAN 10 is a new VLAN that will be used to provide the cargo personnel access to the server. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
– Users connecting to ASW1’s port must be authenticate via a Radius server before they are given access to the network. The radius server address is 172.189.29.100 and Radius key is ciscoradius.
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.10.0/24 and packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20. And this filtering should be configured as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
– Users connecting to ASW1’s port must be authenticate via a Radius server before they are given access to the network. The radius server address is 172.189.29.100 and Radius key is ciscoradius.
– Authentication should be implemented as close to the host device possible.
– Devices on VLAN 20 are restricted to in the address range of 172.120.10.0/24 and packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
– Packets from devices in any other address range should be dropped on VLAN 20. And this filtering should be configured as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
Answer and Explanation:
1) Configure authenticate via a Radius server on ASW1
ASW1(config)#aaa new-model
ASW1(config)#aaa new-model
Set the server address and password for radius server:
ASW1(config)#radius-server host 172.189.29.100 key ciscoradius
ASW1(config)#radius-server host 172.189.29.100 key ciscoradius
ASW1(config)#aaa authentication dot1x default group radius
Enable 802.1x on the switch:
ASW1(config)#dot1x system-auth-control
ASW1(config)#dot1x system-auth-control
Configure Fa0/1 to use 802.1x:
ASW1(config)#interface fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
Notice that the word “auto” will force connected PC to authenticate through the 802.1x exchange.
ASW1(config-if)#end
ASW1#write
ASW1#write
Packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
Define an access-list:
DSW1(config)#ip access-list standard 10
DSW1(config-std-nacl)#permit 172.120.10.0 0.0.0.255
DSW1(config-std-nacl)#exit
Define an access-list:
DSW1(config)#ip access-list standard 10
DSW1(config-std-nacl)#permit 172.120.10.0 0.0.0.255
DSW1(config-std-nacl)#exit
Define an access-map which uses the access-list above:
DSW1(config)#vlan access-map MYMAPIP 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map MYMAPIP 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
Packets from devices in any other address range should be dropped on VLAN 20.
DSW1(config)#vlan access-map MYMAPIP 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
Apply a vlan-map into a vlan close to the server farm as possible:
DSW1(config)#vlan filter MYMAPIP vlan-list 20
DSW1(config)#vlan filter MYMAPIP vlan-list 20
when I took the test this lab was bugged. it wouldn't let me remove the access-map that I had put in there wrongly.
ReplyDeleteDo you actually need the action drop addition to the access-map? My understanding is that VACLs have an implicit deny (drop) that will drop anything which is not expressly forwarded.
ReplyDeleteTechnically, you don't need to set an action drop, because it will implicitly deny anything that isn't permitted. However, it is good practice to just add an additional action of drop. Also, the exam may deduct points off of your simulation if you don't have that extra step, so it's best to be on the safe side. :-)
DeleteGreat article man but i dont think VACL works in gns3, i've tried the 3600/3700 series with NM-16ESW module but only radius server cmd is there.
ReplyDeleteVACL works only in IOU VM as well as private VLANs but you must memorize the commands:
DeleteASW1(config)#radius-server host 172.189.29.100 key ciscoradius
ASW1(config-if)#dot1x port-control auto
These 2 commands that you need to memorize works but you need to type them word for word.
Good one
ReplyDeletewhere you have downloaded
ReplyDeleteOn the 300-115 exam, it seems that something more is needed to get this solutions correct. I know this lab cold, yet I have taken the exam twice, and failed due to this question. Has anyone else had this problem?
ReplyDeleteThanks.
is vlan 20 added to the trunk port? I'm taking the test Thursday, and I would assume they may be deducting points for not having the vlans defined and active both upstream and downstream.
Deleteconfigure radius access
vlan 20 - 172.120.10.0/24
access-list dropping non 172.120.10.0/24
radius server 172.189.29.100 key ciscoradius
aws1 -
conf t
aaa new model
radius-server host 172.189.29.100 key ciscoradius
!
vlan 20
name dot1x_test
!
dot1x system-auth-control
!
int vlan 20
description new dot1x_users
ip address 172.120.10.1 255.255.255.0
no shut
!
int range f0/1-3
switchport mode access
switchport access vlan 20
spanning-tree portfast
spanning-tree bdpuguard enable
do1x port-control auto
!
int range f0/4-9
spanning-tree portfast
shut
int range f0/11-24
spanning-tree portfast
shut
!
int f/10
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 20
!
dws1 -
conf t
!
vlan 20
name dot1x_test
!
int g1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 20
!
ip access-list standard 10
permit 172.120.10.0 0.0.0.255
exit
!
vlan access-map MYMAPIP 10
match ip address 10
action forward
!
vlan access-map MYMAPIP 20
action drop
!
vlan filter MYMAPIP vlan-list 20
==============
hopefully this is correct. I'll take it to my lab tonight to verify. I just pieced that together in notepad while testing
Hello Guys,
DeleteIs this the right configuration for AAAx?
Step1: Console to ASW1 from PC console 1
Configure authenticate via a Radius server on ASW1
ASW1(config)#aaa new-model
ASW1(config)#radius-server host [IP radius server] key rad123
ASW1(config)#aaa authentication dot1x default group radius
Enable 802.1x on the switch:
ASW1(config)#dot1x system-auth-control
Configure Fa0/1 to use 802.1x:
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access (rewrited this command even that existed in config)
ASW1(config-if)#switchport access vlan 20 (rewrited this command even that existed in config)
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#no shutdown (just in case to be sure)
ASW1(config-if)#exit
ASW1#copy run start
Step2: Console to DSW1 from PC console 2
Packets from devices in the address range of 172.120.10.0/24 should be passed on VLAN 20.
Define an access list:
DSW1(config)#access-list 11 permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit
DSW1(config)#vlan acess-map MYMAP 10
DSW1(config-access-map)#match ip address 11
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map MYMAP 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
DSW1(config)#vlan filter MYMAP vlan-list 20
DSW1#copy run start
Why you configured access MAP on vlan 10 , and ACL on vlan 11 ?
DeleteHello Matthew,
DeleteI have EXACTLY the same issue with you. All the questions were right except this lab. Could you please tell me what you did to overcome this issue. What is the solution of this Lab??
Thanks in advance.
is it possible that the command "dot1x port-control auto" under the fastEthernet interface is no longer valid? maybe it should be "authentication port-control auto" and "dot1x pae authenticator"?
ReplyDeleteAuthentication Initiation and Message Exchange
DeleteThe switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x pae authenticator and authentication port-control auto interface configuration commands (dot1x port-control auto command in Cisco IOS Release 12.2(33)SXH and earlier releases), the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). When the client receives the frame, it responds with an EAP-response/identity frame.
If the client does not receive an EAP-request/identity frame from the switch during bootup, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity.
"int vlan 20
ReplyDeletedescription new dot1x_users
ip address 172.120.10.1 255.255.255.0
no shut"
The requirement clearly states "Corporate polices do not allow layer 3 functionality to be enabled on the switches." So, no layer 3 means no IPs for VLANs.
I've tried this on a newer 4948 and 3750 and I can enter the command but then it adds the latter commands to the config after the fact. If you can't enter it at all then you might want to make sure that the switchport is in access mode.
ReplyDeletewhen using the command 'dot1x port-control auto' I have to use "ip routing" on the port for the dot1x command to be available. once I enter the 'dot1x port-control auto' and look at the running config I see: interface FastEthernet1/0/23
ReplyDeleteno switchport
no ip address
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
is there anything else to the commands for this lab? is this expected but not mentioned in the turorial?
the GNS FILE ??
ReplyDeleteHave these labs been removed?
ReplyDeletevlan access-map commands are not working on gns3. is it normal or am i missing something ?Please guide.
ReplyDeletewhere can i get the download
ReplyDeletevlan access-map is not supported by emulator(packet tracer,gns,etc...) as it is a hardware "feature" on cisco devices. youll need atleast 1 working cisco 3750 to try these commands. BUT i think maybe Cisco IOU supports this as Cisco IOU is usually used on CCIE tests and i think it should support it, also i saw GNS3 have support for implementig l2/l3 IOU IOS...
ReplyDeleteCisco Nexus Titanium (Nexus Titanium-VM-51.2) supports VACLs =)
ReplyDeleteI tested dot1x with a 2940 (12.1.22ea14) and a 2960 (15.0.2se10a). These are my notes:
ReplyDeleteUsing a single machine with two network interfaces as both radius server and dot1x client works here....
freeradius 3.x server setup:
---------------------------------------------------------------
eth1: flags=4163 mtu 1500
inet 10.10.20.1 netmask 255.255.255.0 broadcast 10.10.20.255
/etc/raddb/clients.conf:
client cisco {
ipaddr = 10.10.20.0/24
secret = radiuskey
}
/etc/raddb/users:
radius Cleartext-Password := "Cisco123"
mydot1xuser Cleartext-Password := "mydot1xpw"
# radiusd -X
--------------------------------------------------------------
dot1x client setup:
------------------------------------------------------------
eth0: flags=4163 mtu 1500
inet 10.10.10.99 netmask 255.255.255.0 broadcast 10.10.10.255
/etc/wpa_supplicant/wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=0
fast_reauth=1
network={
key_mgmt=IEEE8021X
eap=TTLS MD5
identity="mydot1xuser"
anonymous_identity="mydot1xuser"
password="mydot1xpw"
phase1="auth=MD5"
phase2="auth=PAP password=mydot1xpw"
eapol_flags=0
}
# wpa_supplicant -i eth0 -Dwired -c /etc/wpa_supplicant/wpa_supplicant.conf -d
--------------------------------------------------------------
c2960 switch with 15.0.2:
------------------------
hostname DSW1
sdm prefer lanbase-routing
! reload after this. you may now have multiple active SVIs.
!
vlan 10
name clients
vlan 20
name servers
!
no ip domain-lookup
aaa new-model
dot1x system-auth-control
!
!
radius server RADIUSSRV1
address ipv4 10.10.20.1 auth-port 1812 acct-port 1813
key radiuskey
!
dot1x system-auth-control
aaa authentication dot1x default group radius
!
interface GigabitEthernet0/1
description TRUNK to ASW
switchport mode trunk
!
interface GigabitEthernet0/8
description TO RADIUS
switchport access vlan 20
switchport mode access
!
interface Vlan10
description client gateway, ping this from client when auth ok
ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
description mgmtinterface, also for radius traffic
ip address 10.10.20.10 255.255.255.0
!
ip default-gateway 10.10.20.1
ip radius source-interface Vlan20
!
interface GigabitEthernet0/2
description DOT1xport to client
switchport access vlan 10
switchport mode access
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
dot1x pae authenticator
spanning-tree portfast
----------------------------
c2940 with 12.1.22
----------------------
hostname ASW1
vlan 10
name clients
vlan 20
name servers
aaa new-model
radius-server host 10.10.20.1 auth-port 1812 acct-port 1813 key radiuskey
aaa authentication dot1x default group radius
dot1x system-auth-control
!
interface FastEthernet0/1
description DOT1xport to client
switchport access vlan 10
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 60
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/8
! yeah, this hangs off DSW above. If all you have is a 2940/2950, adapt as needed.
description TRUNK to DSW
switchport mode trunk
!
interface Vlan20
description mgmtinterface, also for radius traffic
ip address 10.10.20.20 255.255.255.0
no ip route-cache
------------------------