WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY

Transcription

1 Written By: Philip Kwan March 2003 March Foundry Networks, Inc.

2 Summary Microsoft s Active Directory service is one of the most popular authentication directories in use today. This white paper describes Foundry s 802.1X Port Authentication feature and how it works with Microsoft s IAS server to create a seamless authentication environment for Active Directory installations. Contents NOMENCLATURE...3 RELATED PUBLICATIONS...3 TRADEMARKS X PORT AUTHENTICATION BASICS...4 MICROSOFT S IAS SERVER...5 SAMPLE IAS INSTALLATION...5 IAS INSTALLATION PROCEDURE...6 CONFIGURING 802.1X PORT AUTHENTICATION...13 OTHER 802.1X COMMANDS...14 MULTIPLE HOST SITUATIONS...14 CONFIGURING WINDOWS CLIENTS...15 TESTING THE CLIENT CONNECTION...16 ADDITIONAL TIPS...17 OTHER 802.1X CLIENTS TESTED...17 CONFIGURING FOUNDRY S DYNAMIC VLAN FEATURE...18 CONFIGURING VLAN GROUPS...19 CONFIGURING REMOTE ACCESS POLICIES...19 CREATING PORT-BASED VLANS...24 TESTING THE DYNAMIC VLAN FEATURE...24 Disclaimer Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting Microsoft s IAS and Active Directory services. Refer to Microsoft Corporation for complete installation guidelines and product information regarding Microsoft components mentioned in this white paper. Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting Meetinghouse s AEGIS Windows and MAC OS clients. Refer to Meetinghouse Data Communications for complete installation guidelines and product information regarding AEGIS 802.1X clients mentioned in this white paper. March Foundry Networks, Inc. 2

3 Nomenclature This guide uses the following typographical conventions to show information: Italic highlights the title of another publication and occasionally emphasizes a word or phrase. Bold highlights a CLI command. Bold Italic highlights a term that is being defined. Underline highlights a link on the Web management interface. Capitals highlights field names and buttons that appear in the Web management interface. NOTE: A note emphasizes an important fact or calls your attention to a dependency. Related Publications The following Foundry Networks documents supplement the information in this guide. Foundry Security Guide - provides procedures for securing management access to Foundry devices and for protecting against Denial of Service (DoS) attacks. Foundry Enterprise Configuration and Management Guide - provides configuration information for enterprise routing protocols including IP, RIP, IP multicast, OSPF, BGP4, VRRP and VRRPE. Foundry Switch and Router Command Line Interface Reference - provides a list and syntax information for all the Layer 2 Switch and Layer 3 Switch CLI commands. Trademarks Microsoft Windows 2000, Microsoft Windows XP, Microsoft Internet Authentication Service, and Microsoft Active Directory are trademarks or registered trademarks of Microsoft Corporation. AEGIS Client is a trademark or registered trademark of Meetinghouse Data Communications. Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other trademarks are the properties of their respective owners. March Foundry Networks, Inc. 3

4 802.1X Port Authentication Basics Foundry s implementation of 802.1X Port Authentication is based on a series of standards: RFC 2284 PPP Extensible Authentication Protocol (EAP) RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2869 RADIUS Extensions There are three components that are used to create an authentication mechanism based on 802.1X standards: Client/Supplicant, Authenticator, Authentication Server. Client/Supplicant The client, or supplicant, is the device that needs authenticating to the network. It supplies the username and password information to the Authenticator. The client uses the Extensible Authentication Protocol (EAP) to talk to the Authenticator. Authenticator Authentication Server The Authenticator is the Foundry device performing the 802.1X port security and it controls access to the network. The Authenticator receives the username and password information from the client, passes it onto the Authentication Server, and performs the necessary block or permit action based on the results from the Authentication Server. The Authenticator uses RADIUS to speak to the Authentication Server. The Authentication Server validates the username and password information from the Client and specifies whether or not access is granted. The Authentication Server may also specify optional parameters to control things such as VLAN access. Foundry s 802.1X implementation currently supports standard RADIUS Authentication Servers X Clients use the Extensible Authentication Protocol (EAP) and EAP Over LAN (EAPOL) to securely encapsulate the communications between the Client and Authenticator. The Authenticator uses RADIUS to communicate with the Authentication Server. Before the Client is authenticated, the network port is set to the uncontrolled (unauthorized) state and only allows EAPOL authentication traffic between the Client and the Authentication Server. All other normal data traffic is blocked. When the client authentication is complete and access is granted, the controlled port is set in the authorized state to grant full network access. Figure 1. Port Authentication Process March Foundry Networks, Inc. 4

5 If a non-802.1x client is connected to an 802.1X protected port, the Client will not recognize the EAPOL polling traffic from the Authenticator and authentication will fail. The client will not be granted network access. If an 802.1X EAP-MD5 enabled client is connected to a non-802.1x port, it will attempt to send an EAP start frame to the Foundry device. When the device doesn t respond to the EAP packet, the Client considers the port to be authorized and starts sending normal traffic. By default, Foundry devices place all ports in the authorized state, allowing full network access. When Port Authentication security is implemented, all 802.1X enabled ports are switched to the unauthorized state to prevent full network access. Foundry devices support the EAP-MD5 standard between the client and itself. NOTE: For more information on Foundry s implementation of 802.1X, please refer to the following resources: 802.1X White Paper: Microsoft s IAS Server Internet Authentication Service (IAS) is Microsoft s implementation of Remote Authentication Dial-in User Service (RADIUS). It is used to accept RADIUS authentication requests from RADIUS clients, such as Foundry s network switches, to validate the remote user s credentials against an Active Directory domain controller. In addition to authentication services, IAS can also perform authorization, auditing and accounting for user connections. NOTE: For more information on Microsoft s Internet Authentication Service (IAS), please refer to the following Microsoft site: Sample IAS Installation The following procedures were used to install Microsoft IAS on a Windows 2000 Advanced Server running as an Active Directory Domain Controller. You will need at least one Windows 2000 Active Directory server to authenticate client users. For this example, IAS was installed onto the Domain Controller server running the Active Directory database to provide seamless operation between IAS and Active Directory. By installing IAS on each Active Directory Domain Controller, redundancy and load balancing can be achieved with Foundry 802.1X Port Authentication. Multiple IAS authentication servers can be configured on each Foundry device. If multiple IAS servers were defined, the Foundry device will authenticate against them in the order they were added. For complete IAS installation instructions, please refer to the following Microsoft web site: server/sag_ias_install.asp March Foundry Networks, Inc. 5

6 IAS Installation Procedure Perform the following steps to install Microsoft IAS and configure it for use with Foundry s 802.1X Port Authentication. Step 1: If you do not already have an Active Directory environment setup, you will need to install a Windows 2000 server and configure Active Directory on at least one server. Make sure your DNS servers are setup correctly to function correctly with Active Directory. Step 2: Install the Microsoft IAS service onto the Domain Controller running Active Directory. IAS can be found on your Windows 2000 Server CD. From Control Panel go to Add/Remove Windows Components. Select the Networking Services option and click on the Details button to add a new network service. Select the Internet Authentication Service component to install. Figure 2. Installing IAS on Windows 2000 Server Step 3: Install the latest Service Pack for Windows 2000 Server. Also apply any updates for IAS and 802.1X that may be required. This step is very critical. From Microsoft s home page ( select the Downloads option from the Resources section and search for all 802.1X patches using 802.1X as the search criteria for all products. At the time of this writing (March 3, 2003), the following patch was available: Windows 2000 Patch: Using 802.1X Authentication on Computers Running Windows 2000 File Name: Q313664_W2K_SP4_X86_EN.exe March Foundry Networks, Inc. 6

7 Step 4: With IAS installed and all the latest service packs and patches applied, the next step is to enable IAS to work with Active Directory. To register IAS in the default domain, perform the following steps: Log in to the IAS server with administrative rights. Open the IAS management screen from the Programs/Administrative Tools/Internet Authentication Service menu option. You can also add it to your MMC management console to make it easier to access. Right-click on Internet Authentication Service, and select Register Server In Active Directory to enable IAS to work with Active Directory. Figure 3. Registering IAS in Active Directory Step 5: The next step is to setup the RADIUS server parameters. From the IAS management screen, perform the following steps: Right-click on Internet Authentication Service, and select Properties. On the Service tab, select both log options to record successful and unsuccessful authentication attempts. On the RADIUS tab, set the UDP ports that will be used to communicate with the Foundry devices. For this example, we will use the following ports: o Authentication port: 1812 o Accounting port: 1813 March Foundry Networks, Inc. 7

8 Figure 4. Service Tab Log Settings Figure 5. RADIUS Tab Port Settings Step 6: Define the IAS RADIUS clients that will authenticate to this IAS server. This will include all the Foundry devices that will be supporting 802.1X client authentication. Create a new IAS client entry for each Foundry device. Foundry devices can also have multiple IAS RADIUS servers defined to eliminate single points of failure. From the IAS management screen, right-click on Clients and select New Client. Enter the name of the device to give it a Friendly Name and select RADIUS as the protocol. Enter the IP Address or DNS Name of the Foundry device, select RADIUS Standard as the Client Vendor, check the Client must always send the signature attribute in the request option, and enter the shared secret that will be used to identify the Foundry device. This secret must be the same string used on the Foundry device to define the RADIUS server. Figure 6. Adding IAS Clients Foundry Devices March Foundry Networks, Inc. 8

9 Step 7: Create a Remote Access Policy to govern access. From the IAS management screen, right-click on Remote Access Policies and select New Remote Access Policy. Enter a Policy Friendly Name to describe the policy. Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry 802.1X Port Authentication is Day-and-Time-Restriction. Set the days and times that users are allowed to authenticate. This example allowed all days and times. Figure 7. Access Policy With Day-And-Time Restriction Once all of the conditions have been added (our example only uses the Day-And-Time-Restriction condition), click on the Next button to proceed. On the Add Remote Access Policy Permission screen, select Grant remote access permission and click on the Next button to proceed. On the Add Remote Access Policy User Profile screen, click on the Edit Profile button. Figure 8. Granting Permission March Foundry Networks, Inc. 9

10 On the Edit Dial-In Profile screen, select the Authentication tab and check the Extensible Authentication Protocol option. From the EAP type drop-down box, select MD5-Challenge option to support the Foundry devices. Uncheck all other authentication types listed under the drop down-box. On the Edit Dial-In Profile screen, select the Encryption tab and check the Strongest encryption option. This step is not required for EAP-MD5, but is performed as a safeguard to eliminate weaker encryption options is used in the future. On the Edit Dial-In Profile screen, select the IP tab and check Client may request an IP address to support DHCP. Click on the OK button and then the Finish button to complete the Policy. Figure 9. Setting EAP Type Figure 10. Setting Encryption Level Step 8: Turn on Remote Access Logging. From the IAS management screen, select the Remote Access Logging option. On the right pane, right-click the Local File and select Properties. Under the Settings tab, select the desired logging features. Under the Local File tab, make sure the Log File Format is set to IAS Format and set the duration to keep the log entries for. March Foundry Networks, Inc. 10

11 Figure 11. Setting Up Logging Features Figure 12. Setting Log Format & Size Step 9: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due to the way passwords are handled using EAP-MD5. From the Active Directory Users and Computers menu option, right-click the name of your Active Directory domain and select Properties. From the Properties screen, select the Group Policy tab. Highlight the Default Domain Policy and click on the Edit button. Under the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy tree, set the Store password using reversible encryption to Enable. Figure 13. Enabling Password Reversible Encryption for MD5 Support March Foundry Networks, Inc. 11

12 Step 10: Create the Active Directory User Accounts that will be used by each user to authenticate to the network. One user account will need to be created for each person authenticating to Active Directory. For installations that have existing Active Directory User Accounts, perform the configurations outlined in Step 11 for each existing user account. Step 11: Enable Dial-In access and Password Reversible Encryption for user accounts. After the account is created, double-click on the user account to display the user account Properties. Under the Dial-In tab, click on the Allow Access radio button for Remote Access Permission. Under the Account tab, check the Store password using reversible encryption option. NOTE: If your Active Directory is already populated with the existing user accounts, you must reset the passwords after completing Step 11 to activate the Reversible Encrypted Password Format configured in Step 9 and Step 11. This can be accomplished by having each user change their passwords for their Active Directory user account or by the system administrator. For new accounts created in Step 10, the passwords will have the reversible encryption feature set due to the configuration changes made in Step 9. Figure 14. Granting Dial-in Access Figure 15. Setting Password Reversible Encryption March Foundry Networks, Inc. 12

13 Configuring 802.1X Port Authentication Foundry devices will support up to eight RADIUS servers and will authenticate against them in the order they were added to the device s configuration. To configure a Foundry device to support 802.1X Port Authentication, the following procedures are required: Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s) (RADIUS, IAS, etc.). Configure the Foundry device to act as the Authenticator. Configure the Foundry device s interaction with the Client device (optional step). Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more RADIUS, IAS, or other authentication servers. Syntax: [no] aaa authentication dot1x default <radius none> BigIron(config)# aaa authentication dot1x default radius Configure the device to use one or multiple RADIUS, IAS, or other authentication servers. Set the authentication and accounting port numbers to match the RADIUS server s settings and specify the secret key to authenticate to the RADIUS server. The secret key string must be identical to the secret key string used on the authentication server. Syntax: radius-server host <ip-addr> <server-name> [auth-port <number> acct-port <number> default key <string> dot1x] BigIron(config)# radius-server host auth-port 1812 acct-port 1813 default key mysecretpassword dot1x BigIron(config)# radius-server host auth-port 1812 acct-port 1813 default key mysecretpassword dot1x Step 2: Enable the 802.1X authentication feature on the Foundry device and enable the necessary ports for 802.1X Port Authentication. This enables the Foundry device to act as an 802.1X Authenticator. Syntax: [no] dot1x-enable BigIron(config)# dot1x-enable To configure 802.1X for individual ports, you can use the enable command with the port number. A range can also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for critical servers that do not require 802.1X Port Authentication access may be lost to these hosts. BigIron(config-dot1x)# enable Ethernet 2/1 to 2/24 BigIron(config-dot1x)# enable Ethernet 3/1 to 3/24 BigIron(config-dot1x)# enable Ethernet 4/1 to 4/10 BigIron(config-dot1x)# enable Ethernet 4/17 to 4/24 BigIron(config-dot1x)# write memory March Foundry Networks, Inc. 13

14 Step 3: For all interfaces using 802.1X authentication, enable the control mode to force-authorized, forceunauthorized, or auto. Auto leaves the controlled port in unauthorized mode until the RADIUS server validates the authentication. BigIron(config)# interface e 3/1 BigIron(config-if-3/1)# dot1x port-control auto The switch is now enabled for 802.1X Port Authentication. Make sure the RADIUS server is properly configured to authenticate each user. Other 802.1X Commands Some other important 802.1X commands and options include: Syntax: show dot1x Displays 802.1X configuration information Syntax: show dot1x config <portnum> Displays detailed 802.1X configuration for a port Syntax: show dot1x statistics <portnum> Displays 802.1X statistics for a port Syntax: clear dot1x statistics all <portnum> Clears 802.1X statistics for all ports or a specific port Multiple Host Situations Foundry s 802.1X Port Authentication defaults to one device per port. For installations that are using more than one host per 802.1X-enabled port, the following commands should be reviewed. Syntax: [no] dot1x multiple-hosts Syntax: [no] timeout security-hold-time <seconds> Allows multiple hosts on an 802.1X enabled port Defines the amount of time the port is locked when multiple hosts are detected on a port configured for only one host. The default is 60 seconds. If the multiple-hosts option is used, the port will allow multiple devices to access the network once the first 802.1X client authenticates successfully. When the authenticated client logs off the network and terminates the authenticated session, the port will deny access to the remaining hosts. Another client must authenticate successfully to enable the port for multiple-host access again. NOTE: For more information on MAC Address Locking and 802.1X authentication, refer to the Foundry Switch and Router Command Line Interface Reference and the Foundry Security Guide. March Foundry Networks, Inc. 14

15 Configuring Windows Clients At the time of this writing (March 2003), Foundry Networks has tested its 802.1X Port Authentication with the following clients: Microsoft Windows 2000 Professional English version (must have SP3 and the Q313664_W2K_SP4_X86_EN.exe patch) Microsoft Windows XP English version (with SP1) After the installation of the required service packs and/or patches, Windows 2000 clients will be configured with the necessary files to support 802.1X EAP-MD5 authentication. Windows XP clients include 802.1X natively but must have SP1 to work with DHCP properly. Perform the following steps to configure the Windows client for 802.1X EAP-MD5 support: Step 1: Open the Properties window for your Ethernet network connection. With 802.1X support installed, you should see the Authentication tab. Check the Enable network access control using IEEE 802.1X box. Select the proper EAP type by selecting MD5- Challenge from the EAP drop-down box. The Authenticate as computer when computer information is available selection is optional. Click the OK button when all the selections have been made to save the changes. Figure 16. Setting Client EAP Type In order to simplify the authentication process, enable the Show icon in taskbar when connected option from the General tab. For Windows XP clients, this will allow the balloon help feature to display prompts for entering authentication information and provide error messages for failed authentication attempts. Reboot the client if necessary. Figure 17. Enabling Taskbar Icon March Foundry Networks, Inc. 15

16 Testing The Client Connection To test the Windows client, connect the device to the Foundry device s 802.1X-enabled port. After a short period, the port and the client s NIC will synchronize and the 802.1X EAP-MD5 authentication process will begin. As the Client completes its synchronization process, the Network Icon in the task bar will show the Local Area Connection speed. The EAP-MD5 port authentication process will begin and the user will be prompted to enter their Local Area Connection credentials (username and password). Enter the User Name and Password information required to authenticate to the IAS Active Directory server. The Logon Domain information is not required. Figure 18. Local Area Connection Credential Request If the IAS Active Directory server validated the authentication credentials entered, the client is allowed onto the network. If the Active Directory server did not validate the authentication credentials, a message similar to the following will be displayed: The EAP-MD5 authentication will timeout and the user will be prompted for their authentication credentials again. Figure 19. Failed 802.1X Authentication Message March Foundry Networks, Inc. 16

17 Additional Tips If the attempt to obtain a DHCP address fails due to a timing issue (the authentication process was not successful before the DHCP request timed out) the client may not have a proper DHCP address. Once authentication is successful and a network connection is granted by the Foundry device, Windows 2000 Professional (SP3 with all 802.1X patches) and Windows XP (SP1) clients should renegotiate a DHCP address with the DHCP server after a short period of time. If this is not the case, you can manually release and renew the DHCP address with the following command line commands: C:\> ipconfig /release C:\> ipconfig /renew These commands can also be placed in a batch file and placed onto the desktop to speed the process of renewing a DHCP address. An example of the batch file commands are: ipconfig /release ipconfig /renew pause exit If you need to manually control the Local Area Connection authentication prompt, temporarily disconnect the network cable from the client for 10 seconds and then reattach it. This will trigger a new EAP-MD5 authentication process and allow the user to enter the authentication credentials again. Other 802.1X Clients Tested At the time of this writing, Foundry Networks has also tested the following 802.1X EAP-MD5 clients: AEGIS Windows Client version from Meetinghouse Data Communications. The AEGIS Windows Client offers a single sign on solution. For more information on this client, visit: AEGIS MAC OS Client version from Meetinghouse Data Communications. For more information on this client, visit: March Foundry Networks, Inc. 17

18 Configuring Foundry s Dynamic VLAN Feature With software release , a new feature called Dynamic VLAN Assignment is supported with Foundry s 802.1X Port Authentication. Dynamic VLAN Assignment allows network administrators to assign a specific VLAN to an individual s Windows User Account. When the individual successfully authenticates to the network using 802.1X Port Authentication, they are automatically placed into their respective VLAN. NOTE: This feature is supported on port-based VLANs only. This feature cannot be used to place an 802.1Xenabled port into a Layer 3 protocol VLAN. For more information on Foundry s 802.1X Dynamic VLAN Assignment feature, refer to the Foundry Switch and Router Command Line Interface Reference and Release Notes. Foundry uses the following standard RADIUS attributes returned from Microsoft s IAS RADIUS service to place the port into the proper VLAN: Attribute Name Type Value Tunnel-Type (decimal) VLAN Tunnel-Medium-Type (decimal) 802 Tunnel-Private-Group-ID 081 <vlan-name> (string) either the name or the number of a VLAN configured on the Foundry device The following occurs under Dynamic VLAN Assignment: 1. When the user enters their 802.1X credentials, the Foundry device sends the information to the IAS server using the RADIUS protocol. 2. The Remote Access Policies on the IAS server is used to determine if the user s account is a member of a particular VLAN Group. If the user account is part of a VLAN Group and the authentication is successful, the VLAN ID associated with the VLAN Group is sent back to the Foundry device using the RADIUS Tunnel- Private-Group-ID attribute. 3. The port on the Foundry device is dynamically assigned to the VLAN matching the VLAN ID and the user becomes a member of the Port-Based VLAN. Conditions that may trigger an unsuccessful authentication and/or Dynamic VLAN assignment include: If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message do not have the values specified above, the Foundry device will ignore the three Attribute-Value pairs. If the authentication credentials supplied were valid, the Foundry device authorizes the port, but the port is not dynamically placed in a VLAN. Otherwise, the client is not authorized. If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message have the values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client will not be authorized. When the Foundry device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks its VLANs for a match using both the name and the numeric ID. If there is a match, the port is placed in the VLAN whose ID corresponds to the VLAN Name or ID. If there is no match, the client is not authorized. March Foundry Networks, Inc. 18

19 Configuring VLAN Groups The first step is to define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. The VLAN Groups are used by IAS to assign the proper VLAN ID to each user account. Step 1: Using the Active Directory Users and Computers administrative tool, create the VLAN Groups that will be used for each VLAN ID. One VLAN Group must be created for each VLAN defined on the Foundry device. The VLAN Groups must be created as Global/Security groups. Name the VLAN Group with a descriptive name that describes the VLAN Group s function. Check the Global Group Scope parameter. Check the Security Group Type parameter. Figure 20. New Global Security Group Step 2: Add the user accounts into the proper VLAN Groups. IAS will use the group memberships to determine which VLAN ID to send back to the Foundry device for dynamic VLAN port assignment. Step 3: Repeat this step to add each VLAN Group required. Figure 21. Add Group Members Configuring Remote Access Policies Once the VLAN Groups have been created with the proper user account memberships, IAS Remote Access Policies need to be defined. The IAS Remote Access Policies will allow the IAS service to compare the user account being authenticated against the group memberships of each VLAN Group to determine the correct VLAN ID to return to the Foundry device. March Foundry Networks, Inc. 19

20 Step 1: Using the Remote Access Policies option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous step. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom. For example, if the Day-And-Time Restriction policy is still present, it should be moved to the bottom or deleted to allow the VLAN Group policies to take precedence. Right click Remote Access Policies and select New Remote Access Policy. Enter a Policy Friendly Name that describes the policy. Each Remote Access Policy will be matched to one VLAN Group. An example may be, Allow - VLAN 10 Policy. Select the Next button to continue. Figure 22. New Remote Access Policy for VLAN Group The Conditions Window will be displayed. Select Add to add the condition that this policy will act on. Select the Windows-Groups attribute type and click on the Add button. Figure 23. Specifying Windows-Group Condition The Groups window will be displayed. Click on the Add button and select the VLAN Group that matches this new policy. Only one VLAN Group should be associated with each policy. Select the OK and Next options in the next few screens to accept the group value. Figure 24. Adding VLAN Group March Foundry Networks, Inc. 20

21 When the Permissions window is displayed, select the Grant remote access permission option and select Next. This will grant access based on group membership. When the User Profile window appears, select the Edit Profile button. Figure 25. Granting Permissions and User Profile Screens The Edit Dial-In Profile screen will be displayed and there will be several tabs displayed. On the Edit Dial-In Profile screen, select the Authentication tab and check the Extensible Authentication Protocol option. From the EAP type drop-down box, select MD5- Challenge option to support the Foundry devices. Uncheck all other authentication types listed under the drop down-box. Figure 26. Authentication Tab Settings On the Edit Dial-In Profile screen, select the Encryption tab and check the Strongest encryption option. This step is not required for EAP- MD5, but is performed as a safeguard to eliminate weaker encryption options is used in the future. Figure 27. Encryption Tab Settings March Foundry Networks, Inc. 21

22 On the Edit Dial-In Profile screen, select the IP tab and check Client may request an IP address to support DHCP. On the Edit Dial-In Profile screen, select the Advanced tab. The current default parameters returned to the Foundry device should be Service- Type and Framed-Protocol. Select the Add button to add the additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment. Figure 28. Connection Attributes Screen The RADIUS Attribute screen is displayed. From this list, three RADIUS attributes will be added: o Tunnel-Medium-Type o Tunnel-Pvt-Group-ID o Tunnel-Type Figure 29. RADIUS Attribute Screen Select Tunnel-Medium-Type and click on the Add button. On the Multivalued Attribute Information screen, click on the Add button. The Enumerable Attribute Information screen is displayed. Select the 802 value from the Attribute Value drop down box. Select OK to accept the value. Return to the RADIUS Attribute Screen (Figure 29) Figure Attribute Setting for Tunnel-Medium-Type March Foundry Networks, Inc. 22

23 Select Tunnel-Pvt-Group-ID and click on the Add button. On the Multivalued Attribute Information screen, click on the Add button. The Attribute Information screen is displayed. Enter the correct VLAN ID or Name for this policy. Users belonging to the VLAN Group specified in this policy will be assigned to the VLAN ID specified. Select OK to accept the value. Return to the RADIUS Attribute Screen (Figure 29) Figure 31. VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID Select Tunnel-Type and click on the Add button. On the Multivalued Attribute Information screen, click on the Add button. The Enumerable Attribute Information screen is displayed. Select the Virtual LANs (VLAN) option from the Attribute Value drop down box. Select OK to accept the value. Return to the RADIUS Attribute Screen (Figure 29) and select the Close button. Figure 32. VLAN Attribute Setting for Tunnel-Type The completed Advanced Tab should resemble the illustration in Figure 33. Repeat this step, Configuring Remote Access Policies, for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. Figure 33. Completed Advanced Tab March Foundry Networks, Inc. 23

24 Creating Port-Based VLANs Port-Based VLANs must be created on each Foundry device participating in the 802.1X Dynamic VLAN Assignment topology X Dynamic VLAN Assignment is only supported on port-based VLANs. This feature cannot be used to place an 802.1X-enabled port into a Layer 3 protocol VLAN. Step 1: Create the necessary Port-Based VLANs on each Foundry device. The VLAN IDs or Names must match the Tunnel-Pvt-Group-ID used in the Remote Access Policies created in the previous step. To create the port-based VLAN: Syntax: vlan <vlan-id> by port To add ports: Syntax: untagged ethernet pos <portnum> [to <portnum> ethernet <portnum>] To turn on Spanning Tree Protocol: Syntax: [no] spanning-tree EXAMPLE This example creates a port-based VLAN with the VLAN ID of 10 and assigns an untagged uplink port E7/24 to the VLAN. Users matching the VLAN Group ID of 10 will be automatically added to this VLAN using 802.1X Dynamic VLAN Assignment. Dept_Switch-1(config)# vlan 10 by port Dept_Switch-1(config-vlan-10)# untagged eth 7/24 Dept_Switch-1(config-vlan-10)# spanning-tree Dept_Switch-1(config-vlan-10)# exit Dept_Switch-1(config)# write memory Step 2: Repeat this Step 1 for each Port-Based VLAN that needs to be created. Testing The Dynamic VLAN Feature In order to successfully test the 802.1X Dynamic VLAN Assignment feature, the following components must be fully installed and configured according to the procedures outlined in this White Paper: IAS RADIUS Server Active Directory Server Foundry 802.1X capable device with version code or later 802.1X compliant workstation or file server Make sure the order of the Remote Access Policies is correct. The VLAN Group Policies should be listed ahead of any other general policies such as the Day-And-Time Restriction Policy. Step 1: To ensure that Microsoft s IAS service recognizes all the new Remote Access Policies and changes, stop and start the IAS service. This can be done from the Internet Authentication Service management screen by right clicking on the Internet Authentication Service (local) option and selecting Stop Service to stop the IAS service and Start Service to start the IAS service. March Foundry Networks, Inc. 24

25 Step 2: Using a workstation that is configured properly for 802.1X client support, connect to the Foundry device s 802.1X enabled port. Step 3. Follow the steps outlined in the section, Testing The Client Connection to authenticate the client. Use one of the accounts that were added to a valid VLAN Group created on the Active Directory server. Step 4. Once the client is authenticated, check the Foundry device to make sure the client s port is added to the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN assignment: Syntax: show run Syntax: show interface <port> Displays the dynamically assigned ports in each Port-Based VLAN. Displays detailed port information showing the original Layer 2 VLAN the port belonged to before the automatic assignment and the VLAN membership after the automatic assignment. EXAMPLE Show Run Command This example shows the results of the show run command. An 802.1X client was authenticated using a valid Windows account on the Active Directory server that is a member of VLAN Group 5.. From the show run illustration, the 802.1X client is connected to port Ethernet 22. After successful authentication, port Ethernet 22 is automatically assigned to Port-Based VLAN 5 as an untagged port. SW-telnet@FI4802-PREM#show run ver B2T51! dot1x-enable enable ethe 20 to 29! vlan 1 name DEFAULT-VLAN by port! vlan 10 by port! vlan 20 by port! vlan 5 by port untagged ethe 22 EXAMPLE Show Interface Command This example shows the dynamic VLAN information for port Ethernet 22 after the automatic VLAN assignment was made. Note the original VLAN ID was 1 and the new dot1x-radius assigned VLAN is 5. SW-telnet@FI4802-PREM#sho int e22 FastEthernet22 is up, line protocol is up Hardware is FastEthernet, address is 00e a315 (bia 00e a315) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Member of L2 VLAN ID 5 (dot1x-radius assigned), original L2 VLAN ID is 1, port is untagged, port state is FORWARDING STP configured to ON, priority is level0, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name : : : : : : : : March Foundry Networks, Inc. 25

26 Foundry Networks, Inc. Headquarters 2100 Gold Street P.O. Box San Jose, CA U.S. and Canada Toll-free: (888) TURBOLAN Direct telephone: Fax: Web: Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other trademarks are the properties of their respective owners Foundry Networks, Inc. March Foundry Networks, Inc. 26