Skip to main content

Implementing 802.1X - Windows 2012R2 + Cisco 4500 Switches



Implementing 802.1X Using Windows Server 2012R2 & Cisco 4500 Series Switches

Overview: This document is to outline how the configuration between Windows Server 2012 R2’s NPS Services and Cisco 4500 Series switches has been implemented.


High Level Diagram:
 

Requirements:

  • Windows Server 2012 R2 with NPS Server installed
  • Windows Server 2012 R2 with CA Services
  • Windows AD Environment
  • Cisco 4500 Series Switches
  • Windows 7-10 Clients to connect
NPS Configuration:
1. This assumes the above requirement that the NPS Service has already been installed on Windows Server 2012 R2
2. Disable all existing Policies under Connection Request Policies and Network Policies as you will be making your own, except one that states “Catch All” with the below parameters:


3. You will then need to add in a new Radius Client to have Policies built around. Friendly Name will be used going forward for the Policies for referencing the document.
4. Once completed, remember that the Shared Secret and the Command entered within the Cisco Switch needs to match. Also communication between the NPS Server and the Cisco Switch needs to have ports 1645 and 1646 opened. Windows Firewall also needs to permit these ports.
5. Create a new Connection Request Policy – This will be used to separate all “8021x” queries through initially from the rest of the other connection request policies. Here is an example configuration:


6. Then go to Network Policies and create your first Network Policies. This is actually where you define which user group ties back to what VLAN within AD.




7. Using the above, you can see that the CA is being used in the PEAP /EAP-MSCHAP v2 Modes. So the certificate on the Radius Server needs to be provided from the CA, and all clients connecting should also have a valid computer and user certificate from the same CA. You can also see that the Tunnel-Pvt-Group-ID needs to match the VLAN name defined within the Cisco Switch, and the User Group defined is how you determine that user group gets that vlan. If there is multiple user groups that is applied to a user, whoever is first in the Network Policy list, will apply first, and then the bottom applies last.
8. Lastly don’t forget to actually start the NPS Service.

CA Configuration:
This is straight forward, build a CA/SubCA and have the CA provide a certificate to the NPS Server which will be referenced above in the Certificate item piece under the Network Policy PEAP Configuration screens. All of the clients connecting to the NPS Server also requires to have Certificates for both user and computer on their PC from that Certificate Authority.

AD Environment:
In the situation that I was placed in, I created a new OU that had a mapping of all of the existing AD User Groups that was in use, and then mapped them back to VLAN. Then use that user group within the above settings in NPS Configuration.

Switch Configuration:
Below is an example configuration from an existing switch. The minimum requirements is below:

aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host auth-port 1645 acct-port 1646 key 0

interface GigabitEthernet3/12
 description 1X-2017
 switchport access vlan
 switchport mode access
 switchport voice vlan 90
 qos trust cos
 authentication event fail action authorize vlan
 authentication event no-response action authorize vlan
 authentication host-mode multi-host
 authentication port-control auto
 authentication periodic
 auto qos voip trust
 dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 10
 dot1x max-reauth-req 1
 storm-control broadcast level 20.00
 storm-control action shutdown
 tx-queue 3
   bandwidth percent 33
   priority high
   shape percent 33
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy output autoqos-voip-policy
Labels:

Comments

Post a Comment

Popular posts from this blog

Fortigate to USG B2B

Building Site-to-Site B2B from Unifi USG to Fortigate (500D or other models) Fortigate Configuration 1. Build a New VPN Tunnel using Custom VPN Tunnel (No Template) 2. Under Network, point to the Public Side IP of the USG (Public IP, not WAN interface) 3. Leave everything else default (NAT-T Enabled, DPD Disabled..ect) 4. Authentication, use PSK and IKEv1 with Main 5. Phase 1 Purposal, set algorithms to AES128 and SHA1, with DH 14. 6. Phase 2 Purposal, set Local Address and Remote address to 0.0.0.0/0.0.0.0 and 0.0.0.0/0.0.0.0 respectively. 7. Set Encryption to AES128/Sha1, Replay Detection and PFS enabled, along with DH14. Enable Autokey Keep Alive, and Auto-Negotiate, and save changes. 8. Build a Static Route pointing to the Far-End Destination/Segment you want to reach. 9. Build a Policy Stating which Segments can hit the Far-End Destination/B2B USG Configuration 1. This is assuming that USG is already registered to the Unifi Controller. 2. Go t
Post a Comment
Read more

How to setup a Host-Check for Fortigate SSL VPN

This document outlines how to setup a host-check for a Fortigate SSL VPN (Web only): config vpn ssl web portal edit "portalname" set web-mode enable set host-check custom set host-check-policy "Microsoft-Windows-Firewall" set os-check-enable set ip-pools "PoolName" set split-tunneling disable set page-layout double-column set theme orange config os-check-list "windows-7" set action check-up-to-date set latest-patch-level 1 end  config vpn ssl web host-check-software edit "Microsoft-Windows-Firewall" config check-item-list edit 1 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile:EnableFirewall==1" set type registry next edit 2 set target "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile:EnableFirewall==1" set type registry next edit 3 set target "HKLM\\SYSTEM\\CurrentControlSet\\S
3 comments
Read more