Had a pretty productive day today. I've enabled 802.1x in the lab and plan on deploying it next week at my place of work. So what sparked this you might ask? Well this morning I got a call from one of my friends that I work in the same area with. We happen to share the same internet connection. He controls the ASA and Barracuda. The reason for my friend's call was to inform me one of our users was responsible for 30 percent of the bandwidth used until that point of the day. I did some poking around and found out it wasn't even a computer on our domain. That's got to go. The answer? 802.1x. 802.1x is kind of port level network security. It requires a computer to authenticate with a RADIUS server before it can contact the rest of the world.
Now what I couldn't find was any good documentation out there on the interwebs to help me. So now that I've ironed out a bunch of the kinks for our own deployment here I'll show you what I did to make this happen.
First things first was to install the Windows Network Policy and Access Server. This guy is essentially Windows' RADIUS server. It allows our bubbling Cisco switch to authenticate ports based on Active Directory. Sweet! To add the role do the following:
Select Server Manager:
Now Select "Add Roles"
Select Network Policy and Access Services: Obviously I have it installed already
Next go to Active Directory and add a group. You can do either user or computer authentication....or both for that mater. I called my group "Network Access"
And obviously add your user to the group:
Select "Create Self-Signed Certificate". Unless you have one that's official and signed.
Now let's get into the Network Policy Server:
On thing I forgot to take screen shots on is to add a RADIUS Client. The Cisco switches are actually your RADIUS clients. Just add the IP and generate/create a key for each switch you want to add. We'll get to the configuration of the switch later, but remember this key. You'll need it for the switch configuration later.
Select "Configure NAP". I think I want to configure a nap every day after lunch...hahahahha...ha...yeah.
I'm missing the screen shot, but on the first selection select "802.1x Wired" who ha, and click next. Then you'll add that "Network Access" group to your users.
And finish! Yay! Now on to our switch!
At this point we should be completely configured correctly as far as windows is concerned. We're ready to rock and roll on the switch side of things. Type these commands in:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
interface GigabitEthernet0/1
switchport mode access
dot1x port-control auto
radius-server host 10.0.0.1
radius-server key rAnDoMkEyH3r3
Once you do all that you have one last thing to do. Enable 802.1x on your pc. If you're on Windows 7 (and vista I think) enable the service "Wired AutoConfig." That service will give you another tab in your network interface properties. Enable 802.1x and you're in business. Oh man how I love this technology.
Hope this helps,
Matt
No comments:
Post a Comment