asked on
ieee 802.1x issue with IAS using microsoft IAS and a catalyst switch as an authenticator
Dear Experts
kindly help me on this issue , i have been given a task to auithenticate PCs using ieee 802.1x with the IAS and microsoft IAS, the swicthes ( or the
authenticator ) is a catalust 3550 acting as a layer 2 switch
I tried to set a lab using a catalyst switch 3550, a client pc and a server installed with windows server 2003 , the main puropse was at allow a PC client to
authenticate to the IAS server through the switch catalyst using micorosoft certificate ,
PC ----->>> ||catalyst3550||---->>||IA
- however my manager requested me not to change the " EAP type " on the user PC and leave it as " smart card or other certificate " , so i searched for a
documantation and i found one that uses ieee 802.1x using EAP type as " smart card " on both server and client and below is the steps of the configuration
guide i followed from this URL http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm
- i started issuing two additional certificate types:
- RAS and IAS Server
- Workstation Authentication
- 1. Open Certificate Authority Snap-in,
2. Right-Click on
3. Select RAS and IAS Server and Workstation Authentication Templates from the list
4. Since we would like to take advantage of certificate auto-enrollment capabilities of Active Directory we need to modify security settings on the
Workstation Authentication Template to allow Domain Computers to auto-enroll for this type of certificate. This would eliminate the need for manual
certificate distribution to desktops. In order to do this, while still in the Certificate Authority Snap-in right-click on Certificate Templates
node and select Manage. This should open Certificate Template Snap-in.
5. Once in Certificate Templates Snap-in select Workstation Authentication Template, and open its properties and switch to Security Tab. Setup
security so that Domain Computers can Read, Enroll and Autoenroll for this template.
|||||||||- Configuration of Microsoft Internet Authentication Server (Radius)-||||||||||||
1. First we need to install RAS and IAS Certificate on the IAS server. While logged-in as a Domain Admin on the IAS server, run
mmc from command line
2. Ensure to select Computer account when adding the snap-in.
3. Expand Personal folder then right-click on Certificates and select to Request a New Certificate
4. Ensure to select RAS and IAS Server template
5. Provide a friendly name to the certificate and finish the wizard
6. Open IAS Snap-in, right-click on Internet Authentication Service and click on Register Server with Active Directory
7. Next we need to create a Radius Client that will represent our 802.1x capable switch. Right-click on Radius Clients and specify the IP address of
the management interface of the Catalyst Switch and a friendly name
8. Leave Radius Standard as the Client-Vendor and provide a shared secret. This secret key will be used to encrypt the traffic between the
IAS and Catalyst.
Make sure to match this shared secret when configuring Radius Server settings on the Catalyst Switch.
Click on Finish
9.Switch to Remote Access Policies. You can delete the default policies, unless they are being used.
10. Right-click on Remote Access Policies and select New Access Policy. Provide a name for the policy and choose custom policy type.
11. Next we need to add conditions that need to be met in order for the client to gain access. As you can see multiple conditions can be provided.
For the purposes of this blog I only add one conditions, which specifies that the request need to come from the IP address of the Catalyst
Switch. Depending on the security requirements of your organization you may specify additional conditions. Of course, the validity of client's
certificate will always be checked by the IAS server (see step 15).
12. Allow access if the conditions specified on the previous step are met. Click on next
13. Click on Edit Profile and switch to authentication tab
14. Uncheck all authentication methods and click on EAP Methods (EAP allows for certificate based authentication)
15. Click on Add new EAP authentication type and select Smart Card or other certificates. Click Ok
16. Finish the wizard
|||||||||||||||||||- Configuration of Active Directory Policy-|||||||||||||||||||
The whole idea to prevent workstations without a valid certificate from connect to the corporate network. Of course, this implies that we need to
distribute the appropriate certificates to the legitimate users/workstations. We can do this in a number of ways, but the most efficient one is through
autoenrollment process. See the link below on configuration of autoenrollment:
|||||||||||||-Checklist: Configuring certificate autoenrollment-|||||||||||
1. Open Active Directory Users and Computers Snap-in
2. Select the OU where you want to modify the computer policy in order to allow for auto-enrollment. In this blog we assume that top level domain policy will
be modified. Select the properties of the OU and open the associated group policy.
3. Navigate to Computer Configuration->Windows Settings->Security Settings->Public Key Policy and double-click on Autoenrollment Settings.
Enable autoenrollment.
||||||||||||||||||||||||||
1. If you did not use certificate autoenrollment process you have to manually request the Workstation Authentication certificate. The process of requesting
this certificate is identical to the process we used to request RAS and IAS certificate earlier in this blog. The only exception is that we need to request a
Workstation Authentication certificate, see picture below.
2. Under the Network Connections ensure that the IEEE 802.1x authentication is enabled (this is default on Windows XP).
the catalyst 3550 switch configuration
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
radius-server cache expiry 1
radius-server host 10.232.3.50 auth-port 1812 acct-port 1813 key ev6dfrs4
radius-server host 10.232.3.50 auth-port 1645 acct-port 1646 key ev6dfrs4
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server source-ports 1645-1646
radius-server timeout 4
radius-server deadtime 2
radius-server key ev6dfrs4
radius-server vsa send authentication
interface FastEthernet0/28
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
interface Vlan1
ip address 10.232.3.150 255.255.252.0
==========
using a port without authentycaition,everrythin
IP address from the server and i get the message " windows was not able to issue a certificate to let you log in " , on
, i ran a debug on the switch using " debug aaa authentication " and " debug radius authentication" but no output, even on the server eventviewer , no
output
- when changing the EAP type on the PC using PEAP method and " CHAP version 2 " and on the windows server IAS " configuring the authentication method on the
remote policy of microsoft IAS using PEAP and chap version2" , the following output appears on the debug of the catalyst switch
=====++++++++++++++++++=
interface FastEthernet0/3617 39
ST\A7A]B AD 8E
07:02:54: RADIUS: Message-Authenticato[80] 183 55 04 0B 13
!
interface FastEthernet0/38:45
07:02:54: RADIUS: C8 12 F9 DB 30 E0 A9 98 28 EE B7 08 E0 0B A4 91 [????0???(?a
interface FastEthernet0/40: 20 32 20 50 75 62 6C 6
!5
interface FastEthernet
??????] [
07:02:54: RADIUS: Vendor, Cisco [26] 2407 A5 31 8D [.I??hZ
05
!8
interface FastEthern
07:02:54: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/28"Certific
!
interface FastEthernet0/457 50 E9 46 14
05
07:02:54: RADIUS: NAS-Port [5] 6 50028 41 75 74
!8
len 161
07:03:55: RADIUS: authenticator 3E E6 EC F8 33 BE 0C 33 - 5A C3 B7 11 8E A1 E6
6E
07:03:55: RADIUS: User-Name [1] 13 "RADTEST\A7A"
07:03:55: RADIUS: Service-Type [6] 6 Framed [2]
07:03:55: RADIUS: Framed-MTU [12] 6 1500
07:03:55: RADIUS: Called-Station-Id [30] 19 "00-1B-D4-BD-D1-A0"
07:03:55: RADIUS: Calling-Station-Id [31] 19 "00-0F-B0-46-3C-E7"
07:03:55: RADIUS: EAP-Message [79] 18
07:03:55: RADIUS: 02 02 00 10 01 52 41 44 54 45 53 54 5C 41 37 41 [?????RADTE
ST\A7A]
07:03:55: RADIUS: Message-Authenticato[80] 18
07:03:55: RADIUS: E4 04 50 52 64 BE 58 FE AF 06 6B 56 98 6E 0E F1 [??PRd?X???
kV?n??]
07:03:55: RADIUS: Vendor, Cisco [26] 24
07:03:55: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/28"
07:03:55: RADIUS: NAS-Port [5] 6 50028
07:03:55: RADIUS: NAS-Port-Type [61] 6 Eth [15]
07:03:55: RADIUS: NAS-IP-Address [4] 6 10.232.3.150
07:03:55: RADIUS: Received from id 1645/73 10.232.3.50:1812, Access-Reject, len
20 <<<<<<<<<<<<<<<<<<<<<<<<<<
07:03:55: RADIUS: authenticator CA 68 C6 A9 D1 22 C5 1C - D3 A8 26 24 15 F5 AA
D9
07:03:55: RADIUS(00000007): Received from id 1645/73
==========================
on the windows event viewer , i get the follwing reason code 48 " connection attempt did not match any remote access policy" and on the client PC , i get the message " windows cannot log you onto the network "
- even though i troed to search for doncumantaion guides on the internet, there is no guide for troubleshooting such types of incidents,most of the guides includes only the configuration guides for wireless lans but a few only contains wired networks
therefore kindly assist me to tackle this incident or kindly provide me with a configuration guide if possible to configure IAS, CA, and GP and intergrate them with ieee 802.1x on lan networks
regards
kindly help me on this issue , i have been given a task to auithenticate PCs using ieee 802.1x with the IAS and microsoft IAS, the swicthes ( or the
authenticator ) is a catalust 3550 acting as a layer 2 switch
I tried to set a lab using a catalyst switch 3550, a client pc and a server installed with windows server 2003 , the main puropse was at allow a PC client to
authenticate to the IAS server through the switch catalyst using micorosoft certificate ,
PC ----->>> ||catalyst3550||---->>||IA
- however my manager requested me not to change the " EAP type " on the user PC and leave it as " smart card or other certificate " , so i searched for a
documantation and i found one that uses ieee 802.1x using EAP type as " smart card " on both server and client and below is the steps of the configuration
guide i followed from this URL http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm
- i started issuing two additional certificate types:
- RAS and IAS Server
- Workstation Authentication
- 1. Open Certificate Authority Snap-in,
2. Right-Click on
3. Select RAS and IAS Server and Workstation Authentication Templates from the list
4. Since we would like to take advantage of certificate auto-enrollment capabilities of Active Directory we need to modify security settings on the
Workstation Authentication Template to allow Domain Computers to auto-enroll for this type of certificate. This would eliminate the need for manual
certificate distribution to desktops. In order to do this, while still in the Certificate Authority Snap-in right-click on Certificate Templates
node and select Manage. This should open Certificate Template Snap-in.
5. Once in Certificate Templates Snap-in select Workstation Authentication Template, and open its properties and switch to Security Tab. Setup
security so that Domain Computers can Read, Enroll and Autoenroll for this template.
|||||||||- Configuration of Microsoft Internet Authentication Server (Radius)-||||||||||||
1. First we need to install RAS and IAS Certificate on the IAS server. While logged-in as a Domain Admin on the IAS server, run
mmc from command line
2. Ensure to select Computer account when adding the snap-in.
3. Expand Personal folder then right-click on Certificates and select to Request a New Certificate
4. Ensure to select RAS and IAS Server template
5. Provide a friendly name to the certificate and finish the wizard
6. Open IAS Snap-in, right-click on Internet Authentication Service and click on Register Server with Active Directory
7. Next we need to create a Radius Client that will represent our 802.1x capable switch. Right-click on Radius Clients and specify the IP address of
the management interface of the Catalyst Switch and a friendly name
8. Leave Radius Standard as the Client-Vendor and provide a shared secret. This secret key will be used to encrypt the traffic between the
IAS and Catalyst.
Make sure to match this shared secret when configuring Radius Server settings on the Catalyst Switch.
Click on Finish
9.Switch to Remote Access Policies. You can delete the default policies, unless they are being used.
10. Right-click on Remote Access Policies and select New Access Policy. Provide a name for the policy and choose custom policy type.
11. Next we need to add conditions that need to be met in order for the client to gain access. As you can see multiple conditions can be provided.
For the purposes of this blog I only add one conditions, which specifies that the request need to come from the IP address of the Catalyst
Switch. Depending on the security requirements of your organization you may specify additional conditions. Of course, the validity of client's
certificate will always be checked by the IAS server (see step 15).
12. Allow access if the conditions specified on the previous step are met. Click on next
13. Click on Edit Profile and switch to authentication tab
14. Uncheck all authentication methods and click on EAP Methods (EAP allows for certificate based authentication)
15. Click on Add new EAP authentication type and select Smart Card or other certificates. Click Ok
16. Finish the wizard
|||||||||||||||||||- Configuration of Active Directory Policy-|||||||||||||||||||
The whole idea to prevent workstations without a valid certificate from connect to the corporate network. Of course, this implies that we need to
distribute the appropriate certificates to the legitimate users/workstations. We can do this in a number of ways, but the most efficient one is through
autoenrollment process. See the link below on configuration of autoenrollment:
|||||||||||||-Checklist: Configuring certificate autoenrollment-|||||||||||
1. Open Active Directory Users and Computers Snap-in
2. Select the OU where you want to modify the computer policy in order to allow for auto-enrollment. In this blog we assume that top level domain policy will
be modified. Select the properties of the OU and open the associated group policy.
3. Navigate to Computer Configuration->Windows Settings->Security Settings->Public Key Policy and double-click on Autoenrollment Settings.
Enable autoenrollment.
||||||||||||||||||||||||||
1. If you did not use certificate autoenrollment process you have to manually request the Workstation Authentication certificate. The process of requesting
this certificate is identical to the process we used to request RAS and IAS certificate earlier in this blog. The only exception is that we need to request a
Workstation Authentication certificate, see picture below.
2. Under the Network Connections ensure that the IEEE 802.1x authentication is enabled (this is default on Windows XP).
the catalyst 3550 switch configuration
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
dot1x system-auth-control
radius-server cache expiry 1
radius-server host 10.232.3.50 auth-port 1812 acct-port 1813 key ev6dfrs4
radius-server host 10.232.3.50 auth-port 1645 acct-port 1646 key ev6dfrs4
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server source-ports 1645-1646
radius-server timeout 4
radius-server deadtime 2
radius-server key ev6dfrs4
radius-server vsa send authentication
interface FastEthernet0/28
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
interface Vlan1
ip address 10.232.3.150 255.255.252.0
==========
using a port without authentycaition,everrythin
IP address from the server and i get the message " windows was not able to issue a certificate to let you log in " , on
, i ran a debug on the switch using " debug aaa authentication " and " debug radius authentication" but no output, even on the server eventviewer , no
output
- when changing the EAP type on the PC using PEAP method and " CHAP version 2 " and on the windows server IAS " configuring the authentication method on the
remote policy of microsoft IAS using PEAP and chap version2" , the following output appears on the debug of the catalyst switch
=====++++++++++++++++++=
interface FastEthernet0/3617 39
ST\A7A]B AD 8E
07:02:54: RADIUS: Message-Authenticato[80] 183 55 04 0B 13
!
interface FastEthernet0/38:45
07:02:54: RADIUS: C8 12 F9 DB 30 E0 A9 98 28 EE B7 08 E0 0B A4 91 [????0???(?a
interface FastEthernet0/40: 20 32 20 50 75 62 6C 6
!5
interface FastEthernet
??????] [
07:02:54: RADIUS: Vendor, Cisco [26] 2407 A5 31 8D [.I??hZ
05
!8
interface FastEthern
07:02:54: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/28"Certific
!
interface FastEthernet0/457 50 E9 46 14
05
07:02:54: RADIUS: NAS-Port [5] 6 50028 41 75 74
!8
len 161
07:03:55: RADIUS: authenticator 3E E6 EC F8 33 BE 0C 33 - 5A C3 B7 11 8E A1 E6
6E
07:03:55: RADIUS: User-Name [1] 13 "RADTEST\A7A"
07:03:55: RADIUS: Service-Type [6] 6 Framed [2]
07:03:55: RADIUS: Framed-MTU [12] 6 1500
07:03:55: RADIUS: Called-Station-Id [30] 19 "00-1B-D4-BD-D1-A0"
07:03:55: RADIUS: Calling-Station-Id [31] 19 "00-0F-B0-46-3C-E7"
07:03:55: RADIUS: EAP-Message [79] 18
07:03:55: RADIUS: 02 02 00 10 01 52 41 44 54 45 53 54 5C 41 37 41 [?????RADTE
ST\A7A]
07:03:55: RADIUS: Message-Authenticato[80] 18
07:03:55: RADIUS: E4 04 50 52 64 BE 58 FE AF 06 6B 56 98 6E 0E F1 [??PRd?X???
kV?n??]
07:03:55: RADIUS: Vendor, Cisco [26] 24
07:03:55: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/28"
07:03:55: RADIUS: NAS-Port [5] 6 50028
07:03:55: RADIUS: NAS-Port-Type [61] 6 Eth [15]
07:03:55: RADIUS: NAS-IP-Address [4] 6 10.232.3.150
07:03:55: RADIUS: Received from id 1645/73 10.232.3.50:1812, Access-Reject, len
20 <<<<<<<<<<<<<<<<<<<<<<<<<<
07:03:55: RADIUS: authenticator CA 68 C6 A9 D1 22 C5 1C - D3 A8 26 24 15 F5 AA
D9
07:03:55: RADIUS(00000007): Received from id 1645/73
==========================
on the windows event viewer , i get the follwing reason code 48 " connection attempt did not match any remote access policy" and on the client PC , i get the message " windows cannot log you onto the network "
- even though i troed to search for doncumantaion guides on the internet, there is no guide for troubleshooting such types of incidents,most of the guides includes only the configuration guides for wireless lans but a few only contains wired networks
therefore kindly assist me to tackle this incident or kindly provide me with a configuration guide if possible to configure IAS, CA, and GP and intergrate them with ieee 802.1x on lan networks
regards
Microsoft Server AppsWindows Server 2003Switches / Hubs
Last Comment
atrevido