Extreme Management Center

Transcription

1 Extreme Management Center Cisco Switch Integration Guide Abstract: This document describes how to use a Cisco switch as an edge enforcement point in Extreme Management Center (formerly NetSight). The intended audience for this document is an Extreme Networks employee or partner with an Extreme Management Center certification. Published: August 2017 Extreme Networks, Inc Via Del Oro San Jose, California Phone / Toll-free / Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see

2 Contents Overview... 3 Test Environment... 3 Part 1: Configure the Cisco Switch... 4 Step 1: Configure SNMP... 4 Step 2: Configure RADIUS... 4 Step 3: Configure the VLANs and/or ACLs for Enforcement...5 Step 4: Configure the Interfaces for Authentication... 6 Part 2: Configure EAC for the Cisco Switch... 8 Step 1: Add the Cisco Switch to EAC... 8 Step 2: Configure the EAC Policy Mappings Step 3: Configure Router Lookups for IP Resolution Appendix A: Example ACLs for the Cisco Switch Appendix B: Considerations for VoIP Connections Appendix C: IP Resolution Options Appendix D: Troubleshooting Revision History Terms and Conditions for Use Extreme Networks, Inc. All rights reserved. 2

3 Overview There are five phases to integrating Cisco switches into Extreme Management Center (EMC, formerly NetSight): 1. All clients must authenticate to the Extreme Access Control (formerly NAC) engine using RADIUS. This can be either 802.1X or MAC authentication. In a Cisco network, MAC authentication is called MAC Authentication Bypass. This is a bare minimum to access the end system within EAC. 2. Enforcement must be applied via RADIUS attributes. The standard method for this is to use VLANs according to RFC However, sometimes that can result in users having stale IP addresses after being moved between VLANs. The other method used for the Cisco wireless LAN controller (WLC) is the passing of dynamic Access Control Lists (ACLs) and Vendor Specific Attributes (VSAs), both of which can be used to provision users access dynamically. 3. A way is needed to re-authenticate devices on demand. The standards-based method of doing this is by using RFC 3576 (also known as RFC 5176) to dynamically send a re-authentication via RADIUS. This is also known as a CoA (Change of Authorization) or POD (Packet of Disconnect). EAC also has native support for Cisco s Reauthentication MIB, which can be used in place of RFC A way is needed to redirect users web traffic in the case of registration or remediation. Typically, policy-based routing is used if specific attributes can be set to single out an unregistered or quarantined user s web traffic. However, it hasn t yet been discovered how to do this on Cisco. Instead, the DNS proxy redirection solution is used. This solution spoofs DNS responses to the client when the user needs to be redirected. Note that this functionality also requires a change to the DHCP scope to assign the EAC Gateway as a secondary DNS server. 5. Router SNMP queries need to be configured in order to verify an IP address of a connecting device. The IP address will be discovered via DHCP snooping. However, it sometimes needs to be verified by querying the ARP cache of the router. Note If VLAN-based enforcement is to be used, policy-based routing should be used. It is still the best method for redirection. Test Environment Extreme Management Center (NetSight) and Extreme Access Control (EAC) version Cisco 2960 version 12.2(58)SE2 Cisco 3750 version 12.2(55)SE2 Cisco 3750G version 15.0(2)SE2 Cisco 3750X version 12.2(58)SE2 Extreme Networks, Inc. All rights reserved. 3

4 Part 1: Configure the Cisco Switch The first section covers configuring the Cisco switch to be monitored by Extreme Management Center (EMC, formerly NetSight) and configuring EAC for use as a RADIUS server. All configurations are done by command line. It is assumed that the console has access to the switch. Step 1: Configure SNMP For EMC to manage the switch, it needs to have SNMP read/write capabilities configured. We highly recommend that, if possible, the Cisco switch be configured to use SNMPv3. SNMPv3 has many advantages over v1 and v2, including security of communication and performance. To configure SNMPv3 on a Cisco switch, enter the following commands: snmp-server group V3Group v3 auth read V3Read write V3Write snmp-server user snmpuser V3Group v3 auth md5 snmpauthcred priv des snmpprivcred snmp-server view V3Read iso included snmp-server view V3Write iso included Step 2: Configure RADIUS So that the Cisco switch can authenticate against EAC, the EAC engine must be configured as a RADIUS server on the switch. This requires a few sets of commands on the switch. The first set of commands create aaa rules. These need to be carefully evaluated when applying them, as it is quite easy to deny existing Telnet, SSH, or console access to the switch. Note if any of these commands are already present and adjust the commands accordingly. If no aaa commands are present, the following commands will need to be added: aaa new-model aaa authentication login default local aaa authentication enable default enable none!add a username to log into the switch locally username admin privilege 15 password 0 MyPassword123 Use the following commands to add the EAC engine as a RADIUS sever. Note that the RADIUS shared secret will always be ETS_TAG_SHARED_SECRET. The test username is used to verify that a EAC engine is still alive after a default period of 60 minutes. This account does not need to exist; the switch is only looking for a response from the server.!add a test account for RADIUS connectivity checks username test-radius privilege 0 password 0 BadPass123!Repeat this command for all EAC engines the switch will authenticate against. radius-server host auth-port 1812 acct-port 1813 test username testradius key ETS_TAG_SHARED_SECRET After defining the EAC engines, add them to a group that can be used in the aaa configuration: aaa group server radius EAC!Add any other EACEngines here server auth-port 1812 acct-port 1813 Define a few more RADIUS options for the switch to make the EAC process operate smoothly:!set the source interface for the RADIUS traffic to be the management interface ip radius source-interface vlan 20 radius-server attribute nas-port format c Extreme Networks, Inc. All rights reserved. 4

5 radius-server vsa send authentication radius-server vsa send accounting radius-server dead-criteria time 30 tries 3 Add the aaa rules for the switch to authenticate users against the EAC engines: aaa authentication dot1x default group EAC aaa authorization network default group EAC aaa accounting dot1x default start-stop group EAC aaa accounting update periodic 5 Add the following commands to enable RFC 3576 support. This is not required for EAC, but it can be useful if problems arise with re-authentication:!time needs to be accurate for RFC 3576 to function properly. ntp server aaa server radius dynamic-author!add any other EAC engines here server server-key ETS_TAG_SHARED_SCRET auth-type any Add the following global commands to make the authentication process run a bit more smoothly:!time to wait in ms after the EAC comes back online authentication critical recovery delay 1000!!Allows a device to move between ports on a switch and still be authenticated authentication mac-move permit!allows devices to connect to the network even if EAC is down dot1x critical eapol!enables internal tracking of IP s on the switch ip device tracking!turns on logging for internal policy functions epm logging Step 3: Configure the VLANs and/or ACLs for Enforcement There are two enforcement methods for devices attaching to a Cisco switch: passing back dynamic VLANs or passing back dynamic ACLs. Both the VLANs and the ACLs must exist on the switch before they can be dynamically assigned. To preconfigure VLANs, enter the following commands for each applicable VLAN. Defining the VLAN ID and name gives the option to use either the ID or name within EAC as well. vlan 98 name Quarantine To preconfigure the ACLs, enter the following commands for each applicable ACL. Note that the ACL names cannot contain spaces. ip access-list extended Unregistered permit ip any host deny udp any any eq domain permit ip any any Appendix A: Example ACLs for the Cisco Switch contains a list of example default ACLs that can be used as a starting point. Extreme Networks, Inc. All rights reserved. 5

6 Note According to Cisco s documentation, For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example, permit icmp any host ) This is also believed to be true for multi-auth mode as well. If this rule is not followed, authorization will fail. Step 4: Configure the Interfaces for Authentication Each interface that will be connected to an end system should have authentication enabled in order to be visible in EAC. Note that the commands below assume that both 802.1X and MAC authentication will be used on the wire. If 802.1X will not be used, it can be removed from the command list. These commands will most likely need to be merged with existing commands on each interface. The interface range command can also be used to modify multiple interfaces at once. interface GigabitEthernet 1/0/10 switchport mode access switchport access vlan 3!Allows traffic before authentication is completed. authentication open!printers seem to have issues without this command turned on. authentication control-direction in!allow multiple devices to authenticate to a single port. authentication host-mode multi-auth!re-authenticate periodically authentication periodic!listen to session-timeout information from EAC. authentication timer reauthenticate server!if 802.1X fails, use MAC authentication authentication event fail action next-method!if EAC fails, open access to the access VLAN listed above authentication event server dead action authorize vlan 3!When EAC comes back online, re-authenticate. authentication event server alive action reinitialize!use 802.1X first if available, then MAC authentication bypass. authentication order dot1x mab authentication priority dot1x mab!if a device moves from one port to another, replace the existing session. authentication violation replace!enable MAC authentication bypass and 802.1X. mab dot1x pae authenticator!set 802.1X timeout to 10 seconds. This can be adjusted if 802.1X timeout is taking!long.!if 802.1X is used in the network, though, be careful of making it too low. dot1x timeout tx-period 10!Set port as an edge port for Spanning Tree. Extreme Networks, Inc. All rights reserved. 6

7 spanning-tree portfast!enable authentication on this port. authentication port-control auto After entering all of these commands an interface should look similar to this: interface GigabitEthernet1/0/10 switchport access vlan 3 switchport mode access authentication contro-direction in authentication event fail action next-method authentication event server dead action authorize vlan 3 authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation replace mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end If 802.1X will be used, enter one last command to globally enable 802.1X on the switch: dot1x system-auth-control Extreme Networks, Inc. All rights reserved. 7

8 Part 2: Configure EAC for the Cisco Switch This section describes how to configure Extreme Management Center (EMC, formerly NetSight) and Extreme Access Control (EAC, formerly NAC) to monitor the Cisco switch and use it as an edge enforcement point for EAC. Step 1: Add the Cisco Switch to EAC The first step in the process of integrating the Cisco switch with EAC is to add it to the Extreme Management Center s EAC configuration with the RADIUS attributes that should be returned to it for enforcement. 1. Open Management Center and navigate to the Control > Access Control tab. 2. Expand the Engines section in the left-panel. 3. Select the engine you are using to monitor the Cisco switch in the Engines section. The Engine panel displays in the right-panel. 4. Click the Switches tab in the right-panel. 5. Click Add Switches. The Add Switches to Access Control Engine Group window displays. Extreme Networks, Inc. All rights reserved. 8

9 6. Add the Cisco switch to the Management Center database, if the switch is not yet added. Click Add Device in the left-panel to add the switch to the Management Center database. The Add Device window displays. Extreme Networks, Inc. All rights reserved. 9

10 Enter the IP Address of the switch and select the Profile with the appropriate SNMP credentials. Note: Configure a new set of SNMP credentials on the Administration > Profiles tab. Enter a Nickname for the device, if necessary. Note: If no Nickname is entered, the device IP address is used for its name in Management Center. Click OK. 7. Select the device in the left-panel of the Add Switches to Access Control Engine Group window. Some settings automatically populate in the right-panel based on the type of device selected. 8. Ensure the following fields are configured properly: Switch Type Layer 2 Out-of-Band Primary Engine The EAC engine used to monitor the switch Secondary Engine Secondary EAC engine, if one is to be used Auth. Access Type Manual RADIUS Configuration RADIUS Accounting Enabled 9. Click Advanced. The Advanced Switch Settings window displays. 10. Ensure IP Subnet for IP Resolution is None and click OK. 11. Select the appropriate RADIUS Attributes to Send for your network. Select RFC 3580 VLAN ID if using dynamic VLANs. Select Cisco Wired Dynamic ACL if using dynamic ACLs. If this option is not available, configure the RADIUS attributes via the legacy NAC Manager java application. i. Click the Menu icon ( ) in the Management Center top menu and select Legacy. The NetSight Suite Home page displays. ii. Click NAC Manager to download the java application. iii. Navigate to the download path and open NAC Manager. iv. Select the engine you are using to monitor the switch in the left-panel and click the NAC Configurations button ( ). The NAC Configurations window displays. Extreme Networks, Inc. All rights reserved. 10

11 v. Select AAA: <NAC Configuration> in the left-panel. vi. Select the appropriate authentication mapping in the table and click the Edit selected mapping button. Extreme Networks, Inc. All rights reserved. 11

12 The Edit User to Authentication Mapping window displays. vii. Expand the Inject Authentication Attrs drop-down menu and select Edit RADIUS Attribute Settings. Extreme Networks, Inc. All rights reserved. 12

13 The RADIUS Attribute Settings window displays. viii. There are multiple ways to determine the format of the RADIUS attributes to send back to the switch. One way is to use the custom field. For this method, the full RADIUS attribute and value would be in the custom field Extreme Networks, Inc. All rights reserved. 13

14 . Another option is to create a new set of RADIUS attributes. Click Add and enter the correct RADIUS attributes into the new window. The following example displays a dynamic ACL being applied from the Custom 4 field. Another option is to assign both a VLAN and a dynamic ACL. The RADIUS attribute that assigns the ACL on the Cisco switch is called Filter-Id. Create the following entries in the settings window. Note that the Filter-ID needs to end with.in for the Cisco switch to know to assign this ACL as an inbound ACL. Attribute Definition Filter-Id=%CUSTOM4%.in %CUSTOM2% %CUSTOM3% Extreme Networks, Inc. All rights reserved. 14

15 Extreme Networks, Inc. All rights reserved. 15

16 12. Restart Management Center after creating the new attribute. 13. Select the new attribute in the drop-down list for RADIUS Attributes to Send when adding the switch. Press OK to finish adding the wireless controller to EAC. Step 2: Configure the EAC Policy Mappings The next step to integrating with the Cisco switch is to configure Extreme Access Control (EAC, formerly NAC) to send back different dynamic ACLs or VLANs based on the determined state and policy of the end system. Extreme Networks, Inc. All rights reserved. 16

17 1. Navigate to the Policy Mapping Configuration panel by navigating to Configuration Profiles Policy Mappings in the Access Control tab. By default, the Policy Mappings Configuration screen shows the Basic view. This view shows only the configurations that are being used by the switches added to EAC Manager. If both VLANs and dynamic ACLs are used, there will be an additional column for VLAN. In this example, because Custom2, Custom3, and Custom4 were used, they are the only additional fields to be shown for each dynamic ACL. To modify an existing mapping, either click the Edit button or double-click an existing entry. Extreme Networks, Inc. All rights reserved. 17

18 2. Enter the appropriate dynamic ACL name in the Custom4 field. Since the custom attribute created for the switch was Filter-ID=%CUSTOM4%.in, the resulting attribute to be passed back from the example below will be Filter-Id=GuestAccess.in. Leave the Custom2 and Custom3 fields empty. Extreme Networks, Inc. All rights reserved. 18

19 Step 3: Configure Router Lookups for IP Resolution The last step for integrating the Cisco switch with Extreme Access Control (EAC) is ensuring that IP resolution will work properly. For this to happen, we highly recommend that SNMPv3 read-only credentials be configured on the router through which users will connect. With these credentials configured, EAC can be set to do an SNMP lookup of the ARP cache to determine whether the client has an entry there. To configure router lookups for IP resolution, open the Advanced EAC Configuration screen and navigate to Appliance Configuration as shown previously. On the IP Resolution screen, select the appropriate SNMP profile for the router. If one is not already created, create a set of SNMP credentials in Extreme Management Center (NetSight) that can be used with the router. If the switch and router(s) share the same SNMP credentials, you can skip this step because the default action is to use the same SNMP credentials as the switch. Note We highly recommend that SNMPv3 be used instead of SNMPv1 or v2. SNMPv3 provides a much higher level of security and efficiency. Extreme Networks, Inc. All rights reserved. 19

20 Appendix A: Example ACLs for the Cisco Switch This section contains example definitions for the ACLs that must be configured on the Cisco switch. The ACLs are currently configured for a format that can be used in the Extreme Management Center (NetSight) Console s Command Script Utility. However, they could also be copied and pasted into a console session with the wireless controller. If you use copy/paste, be sure to change the %EACIP% variable to the real IP address of the EAC engine. terminal length 0 enable %ENABLEPSWD% conf t ip access-list extended Administrator permit ip any any ip access-list extended Assessing permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended DenyAccess permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended EnterpriseUser permit ip any any ip access-list extended Failsafe permit ip any any ip access-list extended GuestAccess permit ip any any ip access-list extended Notification permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended Quarantine permit ip any host %EACIP% permit udp any any eq bootps ip access-list extended Unregistered permit ip any host %EACIP% permit udp any any eq bootps deny icmp any any end Extreme Networks, Inc. All rights reserved. 20

21 Appendix B: Considerations for VoIP Connections When an IP phone is connected to a Cisco switch port that has Extreme Access Control (EAC) enabled, the following considerations apply. Define the IP phone in an End Systems group within EAC, and have a EAC profile and policy assigned specifically to the IP phone. Create a dynamic ACL for the IP phone. In the switch configuration, each interface that a phone could be on should have the following command, where the Voice VLAN being used is substituted appropriately: switchport voice vlan 40 With that command on the interface, configure EAC to send back the following attributes in either the Custom2 or Custom3 RADIUS attribute column: cisco-avpair=device-traffic-class=voice The policy mapping should be similar to this: Extreme Networks, Inc. All rights reserved. 21

22 Extreme Networks, Inc. All rights reserved. 22

23 Appendix C: IP Resolution Options IP resolution for Cisco switches is typically done when a DHCP message is discovered via DHCP relay snooping. Sometimes, however, this can be expedited by configuring DHCP snooping on the Cisco switch. There have been problems in the past with DHCP snooping not working properly, so if an end system is not getting an IP even though it should be, the first thing you should remove is DHCP snooping. To enable DHCP snooping, first enable it on all VLANs that will be snooped. Then enable it globally. ip dhcp snooping vlan 3-4,40,52,98 ip dhcp snooping After DHCP snooping is enabled globally, add the following command for the uplink port from which the DHCP server messages will arrive: ip dhcp snooping trust Use this command to show the DHCP snooping configuration: show ip dhcp snooping Use this command to show the DHCP snooping binding table: show ip dhcp snooping binding Extreme Networks, Inc. All rights reserved. 23

24 Appendix D: Troubleshooting When troubleshooting a Cisco switch, a few commands can be used to verify what is happening on it. The following command shows the output of the authenticated session. Note that the domain will be either VOICE or DATA depending on whether the cisco-avpair attribute was passed back. Also note the Filter-Id that is assigned. Cisco2960#show authentication sessions interface fa 0/4 Interface: FastEthernet0/4 MAC Address: aa.1d5f IP Address: User-Name: aa1d5f Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: in Authorized By: Authentication Server Vlan Group: N/A Filter-Id: GuestAccess Session timeout: N/A Idle timeout: N/A Common Session ID: C0A F1DDCA Acct Session ID: 0x Handle: 0xDA Runnable methods list: Method State dot1x Failed over mab Authc Success You can use the following commands to enable debug logging on the switch. Debug radius authentication debug dot1x all debug dot1x events debug dot1x errors debug epm all debug authentication all You can use the following command to verify the port VLAN, both statically and dynamically assigned. show interfaces GigabitEthernet1/0/10 switchport Extreme Networks, Inc. All rights reserved. 24

25 Revision History Version Date Author Changes 0.1 April 15, 2012 Massimiliano Macri, Enterasys Networks 0.2 February 27, 2013 Tyler Marcotte, Enterasys Networks 0.3 March 7, 2013 Tyler Marcotte, Enterasys Networks 0.4 August 10, 2017 Susan Verona, Larry Kunz, John Moore Extreme Networks Original draft. Changed format. Added more details around functionality and integration to EAC. Added note about restrictions of ACLs that are defined. Revised to update product brand names (NAC to EAC) and update procedures and screen shots to reflect product changes. Extreme Networks, Inc. All rights reserved. 25

26 Terms and Conditions for Use Extreme Networks reserves all rights to its materials and the content of the materials. No material provided by Extreme Networks to a Partner (or Customer, etc.) may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system, or incorporated into any other published work, except for internal use by the Parnter and except as may be expressly permitted in writing by Extreme Networks. This document and the information contained herein are intended solely for informational use. Extreme Networks makes no representation or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Extreme Networks hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on as as is basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Extreme Networks from any and all liability related in any way to this information. A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright Extreme Networks, Inc. All rights reserved. All information contained in this document is subject to change without notice. For additional information refer to END OF DOCUMENT Extreme Networks, Inc. All rights reserved. 26