How to use 802.1x/mac-auth and dynamic VLAN assignment

Hello guys! Today I want to show you how to secure your edge-switches with 802.1x and mac-authentication fallback in combination with HPE comware-based switches. The 802.1x protocol is used for network access control. For devices like printers, cameras, etc. we will use mac-authentication as a fallback. We will also use dynamic VLAN assignment for the connected ports.

Our radius server will be Microsoft NPS. You can activate this role on the Windows server:

After the installation, open the NPS console and register the radius server in your Active Directory:

add your switches or your management network as a radius-client:

the shared secret will be used in the switch configuration. In created two groups within my test environment:

  • VLAN2-802.1x” containing computer accounts
  • VLAN3-MAC-Auth” containing user accounts (username+password = mac-address of the device)

So we will now configure two network policies for our network access control:

I also configured a NAS Identifier so no other device can use the radius server. The clients will use their computer certificate so you will need a running internal certification authority. Choose PEAP only as the authentication method:

the next step is for our dynamic VLAN assignment. Dot1x devices are bound to VLAN 2:

the final dot1x configuration in the NPS:

the second network policy is for the mac-based authentication:

Comware switches are sending MAC-Auth-requests via PAP (maybe you know how to change it to CHAP):

final MAC auth profile:

for now we have built up our authentication server. Now let’s go to the switch configuration. You have global configuration parameters and parameters for each interface. The best way is to use interface-range command to be safe at your configuration. Users who cant authenticate, will be forced to VLAN 999 (quarantine VLAN with no gateway). Here are the global parameters with explanations inline:

dot1x
dot1x authentication-method eap
dot1x retry 3
dot1x timer tx-period 120 #max reauthentication time, will figure out how to configure keeping alive, even if the radius servers are not reachable
#
radius scheme MyRadiusServer
primary authentication 192.168.0.1 key simple *****
primary accounting 192.168.0.1 key simple *****
secondary authentication 192.168.0.2 key simple *****
secondary accounting 192.168.0.2 key simple *****
user-name-format without-domain
#
domain mycompany.local
authentication lan-access radius-scheme MyRadiusServer
authorization lan-access radius-scheme MyRadiusServer
#
domain default enable mycompany.local
#
mac-authentication # activate MAC-Auth globally
mac-authentication domain mycompany.local
#
vlan 2
name clients
#
vlan 3
name printers
#
vlan 999
name quarantine

now we will configure the interfaces:

interface range GigabitEthernet1/0/1 to GigabitEthernet1/0/48
 stp edged-port
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain mycompany.local
 dot1x guest-vlan 999
 dot1x auth-fail vlan 999
 dot1x re-authenticate server-unreachable keep-online
 mac-vlan enable
 mac-authentication
 mac-authentication domain mycompany.local
 mac-authentication re-authenticate server-unreachable keep-online
 mac-authentication guest-vlan 999
 mac-authentication guest-vlan auth-period 3600
 mac-authentication parallel-with-dot1x

the last part is to configure all windows clients to send 802.1x auth data to the cable network. I’ve done this via a global group policy. You can find the settings under Computer Configuration / Policies / Windows Settings / Security Settings / Wired Network (IEEE 802.3) Policies:

So how does a working 802.1x-auth looks like?

%Jan 3 01:59:59:531 2013 edge-switch-01 DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/10-MACAddr=0023-2415-42a3-AccessVLANID=1-AuthorizationVLANID=2-Username=host/PC123.mycompany.local; User passed 802.1X authentication and came online.

Successful Mac-Authentication of a printer:

%Jan 3 01:31:28:782 2013 de-pad-l19-edg01 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthernet1/0/9-MACAddr=0017-c82d-e9bf-AccessVLANID=1-AuthorizationVLANID=3-Username=0017c82de9bf-UsernameFormat=MAC address; User passed MAC authentication and came online.

I tried to draw a flow chart which shows the authentication process, I hope it’s ok for you 🙂

Do you have questions? Feel free to write them into the comments and I will try to answer.

 

Have a nice and sunny day!

 

/edit: If you can’t see success and failure events, follow this instruction: NPS / Radius Server is not logging

2 thoughts on “How to use 802.1x/mac-auth and dynamic VLAN assignment

Leave a Comment