Cisco - Extreme NAC integration -multiauthentication, vlan, dot1x, mac

  • 0
  • 3
  • Question
  • Updated 3 years ago
  • Doesn't Need an Answer
How to integrate cisco switches with Extreme NAC. You can pass vlan, acl's per user, authenticate mac or user even download acl's from NAC and even more - multiauthenticate up to 8 users on one cisco port...
Photo of Tomasz Lubas

Tomasz Lubas

  • 534 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 3
Photo of Christoph

Christoph

  • 1,812 Points 1k badge 2x thumb
Hello

You can find a few answers here: https://community.extremenetworks.com/extreme/topics/integration-cisco-switches-into-enterasys-nac

And I already had seen an integration guide for Cisco switch from Enterasys. But I can't find it anymore on Extremes website.

Regards
Photo of Tomasz Lubas

Tomasz Lubas

  • 534 Points 500 badge 2x thumb
It seems that extreme cut off my previous post... and that was not request for help but howto, anyway thanks Christoph :)
Below is full content of my post.

I'll try to show you how to integrate cisco switches with Extreme NAC. You can pass vlan, acl's per user, authenticate mac or user... even download acl's from NAC and even more - multiauthenticate up to 8 users on one cisco port...rate limit

! The first thing is to configure snmp access, you should see nice green circle in NMS after that.

snmp-server group V3Group v3 auth write myView
snmp-server group snmpgroup v3 auth read V3Read write V3Write
snmp-server group snmpgroup v3 priv
snmp-server view V3Read iso included
snmp-server view V3Write iso included
snmp-server community rw RW
snmp-server location DemoLab-1floor
snmp-server contact Your contact info
! dont forget create snmp user in your group with auth and priv credentials and proper security
! related to NMS profile:)
! snmp user ....

!Then we need to configure aaa  radius server(s). Don't forget to check if you didn't cut your own !branch :) Enable enable password and ssh access and ntp :)

enable password 7 13061E010803
service password-encryption
username cisco privilege 15 password YOur-VerY-Secret-pASword-unencrypted-Here
ip domain-name your-domain-name
crypto key generate rsa
1024
!
ntp server IP_of_ntp_server_here
!duble check if clock is ok [yeah cisco uses clock not date, time or something linuxish :)]
!
ip ssh version 2
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh

!and finally aaa
!The first thing is to check IOS capabilities. From 15.02 you should be able to multiauth users on !single port [as far as i know the 2960 combo switches has those futures limited]
!I have tested on 2960G
!
aaa new-model
!
!
aaa group server radius radiusNAC
 server name your_radius_server_name
!
aaa authentication login default line enable
aaa authentication enable default enable none
aaa authentication dot1x default group radiusNAC
aaa authorization network default group radiusNAC
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radiusNAC
aaa accounting network default start-stop group radiusNAC
!
aaa server radius dynamic-author
! above line is important to reauthenticate
! below lines includes keys for radius servers [in this cace nacs agteways] keep in mind that
! you should put this keys in unencrypted form :) 
 client NAC_1_IP server-key 7 0223306834322E06737D2138373236343F210919011C
 client NAC_2_IP server-key 7 0223306834322E06737D2138373236343F210919011C
 auth-type all
 ignore session-key
 ignore server-key
 ignore retransmission
!
aaa session-id common
system mtu routing 1500
authentication mac-move permit
authentication critical recovery delay 1000
!
radius-server attribute nas-port format c
radius-server dead-criteria time 30 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server your_radius_server_name
 address ipv4 Radius_IP auth-port 1812 acct-port 1813
 key 7 132023213438250D1417001207073738252622647C6C
!
!
dot1x system-auth-control
dot1x critical eapol
!
! And interfaces, 1-for multiauth, 3-for dynamic, downloadable acls,
! 4-for multidomain [ipphone and computer on one port]
!
interface GigabitEthernet0/1
 switchport access vlan 33
 switchport mode access
 ip access-group 110 in
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 23
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation replace
 dot1x pae authenticator
!
interface GigabitEthernet0/2
 switchport mode trunk
!
interface GigabitEthernet0/3
 switchport access vlan 33
 switchport mode access
 ip access-group 110 in
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 23
 authentication event no-response action authorize vlan 400
 authentication event server alive action reinitialize
 authentication open
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation replace
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 1
 dot1x max-reauth-req 1
 spanning-tree portfast
!
interface GigabitEthernet0/4
 switchport mode access
 switchport voice vlan 2
 ip access-group default_acl in
 authentication control-direction in
 authentication event fail action authorize vlan 400
 authentication event server dead action authorize vlan 23
 authentication event no-response action authorize vlan 400
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order mab
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation replace
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 1
 dot1x max-reauth-req 1
 spanning-tree portfast
!
ip access-list extended Unregistered
 permit ip any host 192.168.30.20
 permit ip any host 192.168.30.21
 deny   udp any any eq domain
 permit ip any any
ip access-list extended default_acl
 permit ip any any
access-list 100 permit ip any any
access-list 110 permit ip any any
ip access-list extended EnterpriseUser
 permit ip any any

! Thats all from cisco , then NAC

We need to make policy, end devices/users group, nac profile, group and conf for switch parameters.
Below screens shows how to pass vlan and named acl to cisco switch.

 




You should enable debug on cisco to check if our work works :)

debug authentication...
debug radius ...


If you want to pass ACL's from NAC to cisco then you should use another option fields and reconfigure switch parameters. Look at avpair atributes !

 

Thats all, wish you many success playing with cisco :) Pls let me know if you got any success.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Great job Tomasz,

I would alter the interface confic a little bit.

Your Config:
authentication order mab dot1x
authentication priority mab dot1x

My Config:
authentication order mab dot1x
authentication priority dot1x mab

Reason: If the dot1x authentication grants higher priveleges, I think they will not be enforced in your config.

Best Regards
Michael
Photo of Tomasz Lubas

Tomasz Lubas

  • 534 Points 500 badge 2x thumb
Thanks Michael. Order depends of what you want to do first :) This config was modified many times for different ways of authentication.
Also there is one important thing. Instead of whatever you set there Cisco can ignore it. When you set order on ios <15.02 then this settings is inrelevant because cisco always tries dot1x first.  Keep in mind right timouts then.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Yes - against most config examples with current software, in my opinion it is best practice to set the order to mac than dot1x (to avoid timing issues) and priority to dot1x.

Thanks a lot :)

Michael
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
You should know that it is NOT possible to authenticate more than ONE user per port in a different vlan exept if you use the one client as "voice vlan" on the Cisco.....
Photo of Tomasz Lubas

Tomasz Lubas

  • 534 Points 500 badge 2x thumb
Rainer pls read http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configur...
section
Multi-auth Per User VLAN assignment

and sentence: "When a hub is connected to an access port, and the port is configured with an access VLAN (V0).

The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1. This behaviour is similar on a single-host or multi-domain-auth port.

When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged."