Skip to main content

Implementing 802.1X - Windows 2012R2 + Cisco 4500 Switches



Implementing 802.1X Using Windows Server 2012R2 & Cisco 4500 Series Switches

Overview: This document is to outline how the configuration between Windows Server 2012 R2’s NPS Services and Cisco 4500 Series switches has been implemented.


High Level Diagram:
 

Requirements:

  • Windows Server 2012 R2 with NPS Server installed
  • Windows Server 2012 R2 with CA Services
  • Windows AD Environment
  • Cisco 4500 Series Switches
  • Windows 7-10 Clients to connect
NPS Configuration:
1. This assumes the above requirement that the NPS Service has already been installed on Windows Server 2012 R2
2. Disable all existing Policies under Connection Request Policies and Network Policies as you will be making your own, except one that states “Catch All” with the below parameters:


3. You will then need to add in a new Radius Client to have Policies built around. Friendly Name will be used going forward for the Policies for referencing the document.
4. Once completed, remember that the Shared Secret and the Command entered within the Cisco Switch needs to match. Also communication between the NPS Server and the Cisco Switch needs to have ports 1645 and 1646 opened. Windows Firewall also needs to permit these ports.
5. Create a new Connection Request Policy – This will be used to separate all “8021x” queries through initially from the rest of the other connection request policies. Here is an example configuration:


6. Then go to Network Policies and create your first Network Policies. This is actually where you define which user group ties back to what VLAN within AD.




7. Using the above, you can see that the CA is being used in the PEAP /EAP-MSCHAP v2 Modes. So the certificate on the Radius Server needs to be provided from the CA, and all clients connecting should also have a valid computer and user certificate from the same CA. You can also see that the Tunnel-Pvt-Group-ID needs to match the VLAN name defined within the Cisco Switch, and the User Group defined is how you determine that user group gets that vlan. If there is multiple user groups that is applied to a user, whoever is first in the Network Policy list, will apply first, and then the bottom applies last.
8. Lastly don’t forget to actually start the NPS Service.

CA Configuration:
This is straight forward, build a CA/SubCA and have the CA provide a certificate to the NPS Server which will be referenced above in the Certificate item piece under the Network Policy PEAP Configuration screens. All of the clients connecting to the NPS Server also requires to have Certificates for both user and computer on their PC from that Certificate Authority.

AD Environment:
In the situation that I was placed in, I created a new OU that had a mapping of all of the existing AD User Groups that was in use, and then mapped them back to VLAN. Then use that user group within the above settings in NPS Configuration.

Switch Configuration:
Below is an example configuration from an existing switch. The minimum requirements is below:

aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host auth-port 1645 acct-port 1646 key 0

interface GigabitEthernet3/12
 description 1X-2017
 switchport access vlan
 switchport mode access
 switchport voice vlan 90
 qos trust cos
 authentication event fail action authorize vlan
 authentication event no-response action authorize vlan
 authentication host-mode multi-host
 authentication port-control auto
 authentication periodic
 auto qos voip trust
 dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 10
 dot1x max-reauth-req 1
 storm-control broadcast level 20.00
 storm-control action shutdown
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy output autoqos-voip-policy
Labels:

Comments

Post a Comment

Popular posts from this blog

How to setup a Host-Check for Fortigate SSL VPN

This document outlines how to setup a host-check for a Fortigate SSL VPN (Web only): config vpn ssl web portal edit "portalname" set web-mode enable set host-check custom set host-check-policy "Microsoft-Windows-Firewall" set os-check-enable set ip-pools "PoolName" set split-tunneling disable set page-layout double-column set theme orange config os-check-list "windows-7" set action check-up-to-date set latest-patch-level 1 end  config vpn ssl web host-check-software edit "Microsoft-Windows-Firewall" config check-item-list edit 1 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1" set type registry next edit 2 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1" set type registry next edit 3 set target "HKLM\\SYSTEM\\CurrentControlSet\\S...
3 comments
Read more

OVA/OVF Templates and Older Versions of VMware ESXI

Recently ran into this issue which I feel is something that I should document, as it provides some additional details onto how to configure or modify an existing .ova or .ovf file which is the standard deployment template for ESXI/VMware. Here was the issue: - ESXI 5.5 - OVA required hardware type 8. Gave an error of  " Unsupported hardware version - vmx-8" when testing. Based on everything I was reading, it isn't supported. So using the ovftool which can be found on VMware's Website ( here ) you can basically extract out the ova/ovf file into a directory, and then use it to modify the VMX file and then put it all back together. Steps: 1. Download the application and install it. 2. Go to the directory where the ovftool is stored via cmd line (Typically C:\Programs Files\Vmware\ect..) 3. Issue the following command: ovftool 4. Then modify the .vmx file so that it contains now the hardware ID of 7 (or whatever you need set for your release). 5. Then issu...
1 comment
Read more