NetworkDevicesConfigurationGuideforPacketFenceversion6.7.0
NetworkDevicesConfigurationGuidebyInverseInc.
Version6.5.0-Jan2017Copyright2017Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/
Copyright2017Inverseinc. iii
TableofContentsAbout thisGuide .............................................................................................................. 1
Othersourcesof information..................................................................................... 1NoteonInlineenforcementsupport................................................................................... 2ListofsupportedNetworkDevices.................................................................................... 3Switchconfiguration ......................................................................................................... 4
Assumptions ............................................................................................................. 43COM ..................................................................................................................... 4Alcatel ................................................................................................................... 10AlliedTelesis ............................................................................................................ 13Amer ..................................................................................................................... 16Avaya .................................................................................................................... 16Brocade ................................................................................................................. 18Cisco ..................................................................................................................... 20D-Link ................................................................................................................... 47Dell ....................................................................................................................... 48EdgecorE ............................................................................................................... 49Enterasys ............................................................................................................... 50ExtremeNetworks .................................................................................................. 53Foundry ................................................................................................................. 55Huawei .................................................................................................................. 56H3C ...................................................................................................................... 60HP ......................................................................................................................... 63HPProCurve .......................................................................................................... 63Huawei .................................................................................................................. 67IBM ....................................................................................................................... 69Intel ....................................................................................................................... 70Juniper ................................................................................................................... 70LG-Ericsson ............................................................................................................ 74Linksys ................................................................................................................... 76Netgear ................................................................................................................. 76Nortel .................................................................................................................... 79SMC ...................................................................................................................... 81Ubiquity ................................................................................................................. 82
WirelessControllersandAccessPointConfiguration.......................................................... 86Assumptions ........................................................................................................... 86UnsupportedEquipment .......................................................................................... 86AeroHIVE ............................................................................................................... 87Anyfi ..................................................................................................................... 89Avaya .................................................................................................................... 91Aruba .................................................................................................................... 92BelairNetworks(nowEricsson).............................................................................. 110Brocade ............................................................................................................... 111Cisco ................................................................................................................... 111WirelessLANController(WLC)WebAuth.............................................................. 118TroubleshootingignoredRADIUSreplies................................................................. 123D-Link ................................................................................................................. 124Extricom .............................................................................................................. 124Hostapd ............................................................................................................... 125Meraki ................................................................................................................. 126Mikrotik ............................................................................................................... 138HP ....................................................................................................................... 140
Copyright2017Inverseinc. iv
Meru ................................................................................................................... 140MojoNetworks ..................................................................................................... 143Motorola .............................................................................................................. 145Ruckus ................................................................................................................. 149Trapeze ................................................................................................................ 153Xirrus ................................................................................................................... 154
Additional Information ................................................................................................... 156CommercialSupportandContactInformation................................................................. 157GNUFreeDocumentationLicense................................................................................. 158
Chapter1
Copyright2017Inverseinc. AboutthisGuide 1
AboutthisGuide
ThisguidecoverstheconfigurationofnetworkdevicesinordertointegratethemwithPacketFenceinVLANenforcement.Switches,wirelesscontrollersandwirelessaccesspointsareallconsiderednetworkdevicesinPacketFencesterms.
Thelatestversionofthisguideisavailableathttps://packetfence.org/documentation/
Othersourcesofinformation
AdministrationGuide CoversPacketFence installation,configurationandadministration.
DevelopersGuide Covers captive portal customization, VLANmanagement customization and instructionsforsupportingnewhardware.
NEWS Covers noteworthy features, improvementsandbugfixesbyrelease.
UPGRADE Covers compatibility related changes,manualinstructions and general notes aboutupgrading.
ChangeLog Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
https://packetfence.org/documentation/
Chapter2
Copyright2017Inverseinc. NoteonInlineenforcementsupport 2
NoteonInlineenforcementsupport
There is no need to follow the instructions in this guide if you plan on deploying in inlineenforcement,exceptRADIUSinline.Inthiscaseallyouneedtodoistohaveaflatlayer2networkuptoPacketFences inlineinterfacewithnoothergatewayavailablefordevicestoreachouttotheInternet.
ThistechniqueisusuallyusedwhenyournetworkhardwaredoesntsupportVLANenforcement.
Chapter3
Copyright2017Inverseinc. ListofsupportedNetworkDevices 3
ListofsupportedNetworkDevices
PacketFencesupportsawholelotofdifferentwirelessandwirednetworkequipmentfromvariousvendorsrunningdifferentversions.Sincewewanttoprovidethemostaccurateinformationandavoidduplicationof thatsame information,please refer toourwebsitehttps://packetfence.org/about/supported_switches_and_aps.html
Youll find on this page the enforcementmodes supported by each and every single piece ofequipmentwetestedandworkedwith.
https://packetfence.org/about/supported_switches_and_aps.htmlhttps://packetfence.org/about/supported_switches_and_aps.html
Chapter4
Copyright2017Inverseinc. Switchconfiguration 4
Switchconfiguration
Assumptions
Throughout this configuration example we use the following assumptions for our networkinfrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning(ifyouwant802.1XorMACAuth) PacketFenceIPaddress:192.168.1.5 NormalVLAN:1 RegistrationVLAN:2 IsolationVLAN:3 MACDetectionVLAN:4 GuestVLAN:5 VoIP,VoiceVLAN:100 useSNMPv2c SNMPReadcommunity:public SNMPWritecommunity:private SNMPTrapcommunity:public RADIUSSecret:useStrongerSecret
3COM
SuperStack3Switch4200and4500PacketFencesupportsthese3ComswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
PortSecurity(withstaticMACs)
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 5
snmp-agentsnmp-agent target-host trap address udp-domain 192.168.1.5 params securityname publicsnmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
InPortSecurity
Globalconfigsettings:
snmp-agentsnmp-agent target-host trap address udp-domain 192.168.1.5 params securityname publicsnmp-agent trap enableport-security enableport-security trap addresslearnedport-security trap intrusion
Oneachinterface:
port access vlan 4port-security max-mac-count 1port-security port-mode secureport-security intrusion-mode blockmacundo enable snmp trap updown
InMACAuth
Voice vlan : 6Normal vlan : 1Registration vlan : 2Isolation vlan : 3
Globalconfigsettings:
lldp enablelldp timer tx-interval 5lldp compliance cdplldp compliance cdp
port-security enableMAC-authentication domain packetfence
Chapter4
Copyright2017Inverseinc. Switchconfiguration 6
radius scheme systemradius scheme packetfence server-type extended primary authentication 192.168.1.5 primary accounting 192.168.1.5 key authentication P@cketfence key accounting cipher P@cketfence user-name-format without-domain
domain packetfence authentication radius-scheme packetfence accounting radius-scheme packetfence vlan-assignment-mode string accounting optionaldomain system
voice vlan mac-address f4ea-6700-0000 mask ffff-ff00-0000 description Cisco IP Phoneundo voice vlan security enablevoice vlan 6 enable
OneachinterfacewithVoIP:
interface Ethernet1/0/1 stp edged-port enable lldp compliance admin-status cdp txrx port link-type hybrid port hybrid vlan 6 tagged port hybrid vlan 1 2 3 untagged undo voice vlan mode auto voice vlan enable port-security max-mac-count 3 port-security port-mode mac-authentication port-security intrusion-mode blockmac undo enable snmp trap updown
E4800GPacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmeanthatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonlyGlobalconfigsettings:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 7
snmp-agentsnmp-agent target-host trap address udp-domain 192.168.1.5 params securityname publicsnmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
system-view radius scheme PacketFence primary authentication 192.168.1.5 1812 primary accounting 192.168.1.5 1812 key authentication useStrongerSecret user-name-format without-domain quit domain packetfence.local authentication default radius-scheme PacketFence authorization default radius-scheme PacketFence quit domain default enable packetfence.local dot1x authentication-method eap port-security enablequit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewillhaveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthenticationserver.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.Inordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view user-interface aux 0 authentication-mode none user-interface vty 0 4 user privilege level 3 set authentication password simple useStrongerPassword quitquit
Oneachinterface:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 8
system-view interface gigabitEthernet 1/0/xx port-security port-mode mac-else-userlogin-secure-ext # userlogin-secure-or-mac-ext could be used below instead # see the Switch_4200G's documentation for a discussion about it undo enable snmp trap updown quitquit
wherexxstandsfortheinterfaceindex.
E5500GandSwitch4200GPacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmeanthatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
snmp-agentsnmp-agent target-host trap address udp-domain 192.168.1.5 paramssecurityname publicsnmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 9
system-view radius scheme PacketFence server-type standard primary authentication 192.168.1.5 1812 primary accounting 192.168.1.5 1812 accounting optional key authentication useStrongerSecret user-name-format without-domain quit domain packetfence.local radius-scheme PacketFence vlan-assignment-mode string quit domain default enable packetfence.local dot1x authentication-method eap port-security enablequit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewillhaveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthenticationserver.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.Inordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view user-interface aux 0 authentication-mode none user-interface vty 0 4 user privilege level 3 set authentication password simple useStrongerPassword quitquit
Oneachinterface:
system-view interface gigabitEthernet 1/0/xx port-security port-mode mac-else-userlogin-secure-ext # userlogin-secure-or-mac-ext could be used below instead # see the Switch_4200G's documentation for a discussion about it undo enable snmp trap updown quitquit
wherexxstandsfortheinterfaceindex
NJ220Thisswitchdoesnotsupportport-security.
Toconfigure:usewebinterfacetosendthelinkUp/linkDowntrapstothePacketFenceserver.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 10
Alcatel
OS6250,OS6450PacketFencesupportsthisswitchusing802.1X,MacauthenticationandalsosupportsVoIP.
GlobalconfigurationFirstdefineanyVLANthatyouwanttouseontheswitch.
vlan 2vlan 5vlan 20vlan 100
Next,configuretheRADIUSservertobePacketFence
aaa radius-server "packetfence" host 192.168.1.5 key useStrongerSecretaaa authentication mac packetfenceaaa authentication 802.1X packetfence
Younowneedtoconfigureauserprofile(equivalentofarole)thatwilldeterminewhichVLANisassignedtothedevice.Inthiscasetheprofilenamesareunreg,employeeandguest.
aaa user-network-profile name unreg vlan 2aaa user-network-profile name guest vlan 5aaa user-network-profile name employee vlan 20
Next,configuretheswitchinPacketFence.Inthecaseofthisexample,theuplinkisport1/1.
[192.168.1.10]mode=productiondescription=alcateltype=AlcatelradiusSecret=useStrongerSecretuplink_dynamic=0uplink=1001RoleMap=YVlanMap=NregistrationRole=unregisolationRole=unregdefaultRole=employeeguestRole=guest
802.1XFirst,makesureyoufollowedthestepsaboveinGlobalconfiguration
Chapter4
Copyright2017Inverseinc. Switchconfiguration 11
Youwillneedtoconfiguretheportsyouwanttodoauthenticationon.
vlan port mobile 1/2vlan port 1/2 802.1X enable802.1X 1/2 supplicant policy authentication pass group-mobility block fail block802.1X 1/2 non-supplicant policy authentication pass group-mobility block fail block
MACAuthenticationFirst,makesureyoufollowedthestepsaboveinGlobalconfigurationand802.1X
Nextconfiguretheinterfacetobypass802.1Xauthentication
802.1X 1/2 supplicant bypass enable
VoIPPacketFencesupportsVoIPonAlcatelbyhavingmultipledevicesusingmultipleuntaggedVLANsonthesameport.
Firstconfiguretheuserprofileforvoice.InthisexampleitisonlyisolatingitonanotherVLANbutanyuserprofileattributescanbeaddedtotheprofile.
aaa user-network-profile name voice vlan 3
Next,makesureyouenableVoIP in theswitchconfiguration inPacketFenceandconfigure thevoiceRole.
[192.168.1.10]VoIPEnabled=YvoiceRole=voice
OS6860PacketFencesupportsthisswitchusing802.1X,MacauthenticationandalsosupportsVoIP.
NoteThisdocumentationismadeforAlcatelOS8.1+.Lowerversionsdonotsupportthisconfiguration.
GlobalconfigurationFirstdefineanyVLANthatyouwanttouseontheswitch.
vlan 2 admin-state enablevlan 5 admin-state enablevlan 20 admin-state enablevlan 100 admin-state enable
Chapter4
Copyright2017Inverseinc. Switchconfiguration 12
Next,configuretheRADIUSservertobePacketFence
aaa radius-server "packetfence" host 192.168.1.5 key useStrongerSecretaaa device-authentication mac packetfenceaaa device-authentication 802.1X packetfence
Younowneedtoconfigureanedgeprofile(equivalentofarole)thatwilldeterminewhichVLANisassignedtothedevice.Inthiscasetheprofilenamesareunreg,employeeandguest.
unp edge-profile unregunp edge-profile unreg redirect enableunp edge-profile unreg authentication-flag enableunp vlan-mapping edge-profile unreg vlan 2
unp edge-profile guestunp edge-profile guest redirect enableunp edge-profile guest authentication-flag enableunp vlan-mapping edge-profile guest vlan 5
unp edge-profile employeeunp edge-profile employee redirect enableunp edge-profile employee authentication-flag enableunp vlan-mapping edge-profile employee vlan 20
CautionMakesureyouenabletheredirectonallyourrolesastheaccessreevaluationwillnotworkwithoutit.
Next,configuretheswitchinPacketFence.Inthecaseofthisexample,theuplinkisport1/1/1.
[192.168.1.10]mode=productiondescription=alcateltype=AlcatelradiusSecret=useStrongerSecretuplink_dynamic=0uplink=1001RoleMap=YVlanMap=NregistrationRole=unregisolationRole=unregdefaultRole=employeeguestRole=guest
MACAuthenticationFirst,makesureyoufollowedthestepsaboveinGlobalconfiguration
Youwillneedtocreateanedgetemplateandapplyitontheportsyouwanttodoauthenticationon.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 13
unp edge-template pf_mabunp edge-template pf_mab mac-authentication enableunp edge-template pf_mab classification enableunp port 1/1/2 port-type edgeunp port 1/1/2 edge-template pf_mab
802.1X
First,makesureyoufollowedthestepsaboveinGlobalconfiguration
Youwillneedtocreateanedgetemplateandapplyitontheportsyouwanttodoauthenticationon.
unp edge-template pf_dot1xunp edge-template pf_dot1x 802.1X-authentication enableunp edge-template pf_dot1x mac-authentication enableunp edge-template pf_dot1x 802.1X-authentication failure-policy mac-authenticationunp port 1/1/2 port-type edgeunp port 1/1/2 edge-template pf_dot1x
VoIP
PacketFencesupportsVoIPonAlcatelbyhavingmultipledevicesusingmultipleuntaggedVLANsonthesameport.
Firstconfiguretheedgeprofileforvoice.InthisexampleitisonlyisolatingitonanotherVLANbutanyedgeprofileattributescanbeaddedtotheprofile.
unp edge-profile voiceunp edge-profile voice redirect enableunp edge-profile voice authentication-flag enableunp vlan-mapping edge-profile voice vlan 100
Next,makesureyouenableVoIP in theswitchconfiguration inPacketFenceandconfigure thevoiceRole.
[192.168.1.10]VoIPEnabled=YvoiceRole=voice
AlliedTelesis
AT8000GSPacketFencesupportstheAT8000GSswitchusing:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 14
MACAuthentication(mac-only)
802.1X
802.1X+VOIP
Assumptions
PacketFence management IP: 192.168.1.5Switch management IP: 10.0.0.14Guest VLAN (Internet): VLAN 1
MACAuthentication
First,enable802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 192.168.1.5radius-server key useStrongerSecretradius-server source-ip 10.0.0.14aaa authentication dot1x default radiusaaa accounting dot1x radius
Inordertogetmacauthentication,youneedtoenabletheguestVLANglobally:
interface vlan 1name "Guest Vlan"dot1x guest-vlanexit
Finally,enablethenecessary802.1Xsettingsformac-onlyauthentication:
interface ethernet g1dot1x mac-authentication mac-onlydot1x radius-attributes vlandot1x port-control autodot1x guest-vlan enable
802.1X
ThesettingsarealmostthesameastheMACAuthenticationwithsomesmalldifferences.
First,enable802.1Xglobally:
dot1x system-auth-control
Chapter4
Copyright2017Inverseinc. Switchconfiguration 15
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 192.168.1.5radius-server key useStrongerSecretradius-server source-ip 10.0.0.14aaa authentication dot1x default radiusaaa accounting dot1x radius
Finally,enablethenecessary802.1Xsettings:
interface ethernet g1dot1x radius-attributes vlandot1x port-control auto
802.1X+VOIP
First,enable802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverconfigurationandAAAsettings:
radius-server host 192.168.1.5radius-server key useStrongerSecretradius-server source-ip 10.0.0.14aaa authentication dot1x default radiusaaa accounting dot1x radius
Then,LLDPconfiguration:
hostname switch-nameip domain-name domain.locallldp med network-policy 1 voice vlan 100 vlan-type tagged dscp 34lldp med network-policy 2 voice-signaling vlan 100 vlan-type tagged dscp 34
Finally,enablethenecessary802.1XandVOIPsettingsoneachinterface:
interface ethernet g1 dot1x port-control force-authorized no dot1x guest-vlan enable no dot1x mac-authentication no dot1x radius-attributes vlan no dot1x re-authentication switchport mode trunk switchport trunk native vlan 5 switchport trunk allowed vlan add 100 lldp med enable network-policy lldp med network-policy add 1 lldp med network-policy add 2
Chapter4
Copyright2017Inverseinc. Switchconfiguration 16
Amer
PacketFencesupportsAmerswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Dontforgettoupdatethestartupconfig!
L2SwitchSS2R24iGlobalconfigsettings:
create snmp host 192.168.1.5 v2c publiccreate snmp user public ReadGroupenable snmp traps
Oneachinterface:
config vlan default delete xxconfig vlan mac-detection add untagged xx
wherexxstandsfortheinterfaceindex
Avaya
AvayaboughtNortelswirednetworksassets.SoAvayaswitchesare,ineffect,re-brandedNortels.SeeNortelsectionofthisdocumentforconfigurationinstructions.
802.1XwithMACAuthenticationBypassandVoIP
Note
Theconfigurationbelowrequiresanntpserver.WeusethePacketFenceserverastheNTPserverbutanyotheronewilldo.IfyouwanttousethePacketFenceserverforNTP,makesureyouinstalltheappropriateserviceandopenport123in/usr/local/pf/conf/iptables.conf
Globalconfigsettings:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 17
sntp server primary address 192.168.1.5sntp enableradius server host 192.168.1.5 acct-enableradius server host key useStrongerSecretradius server host key useStrongerSecret used-by eapolradius server host key useStrongerSecret used-by non-eapolradius dynamic-server client 192.168.1.5radius dynamic-server client 192.168.1.5 secret useStrongerSecretradius dynamic-server client 192.168.1.5 enableradius dynamic-server client 192.168.1.5 process-change-of-auth-requestsradius dynamic-server client 192.168.1.5 process-disconnect-requests
vlan create 2,3,4,5 type portvlan create 100 type port voice-vlanvlan name 2 "Reg"vlan name 3 "Isol"vlan name 4 "Detect"vlan name 5 "Guest"vlan name 100 "Voice"
#Uplink configurationvlan ports 24 tagging tagAllvlan configcontrol autopvid
eapol multihost allow-non-eap-enableeapol multihost radius-non-eap-enableeapol multihost non-eap-phone-enableeapol multihost use-radius-assigned-vlaneapol multihost non-eap-use-radius-assigned-vlaneapol multihost eap-packet-mode unicasteapol multihost non-eap-reauthentication-enableeapol multihost adac-non-eap-enableno eapol multihost non-eap-pwd-fmt ip-addrno eapol multihost non-eap-pwd-fmt port-numbereapol multihost voip-vlan 1 enable vid 100
adac voice-vlan 100adac uplink-port 24adac op-mode tagged-framesadac enable
qos if-group name TrustedLinks class trustedqos if-assign port ALL name TrustedLinks
Port1configuration:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 18
interface FastEthernet ALLvlan ports 1 tagging tagAllvlan members 2,3,4,5 1vlan ports 1 pvid 2eapol multihost port 1 enable eap-mac-max 8 allow-non-eap-enable non-eap-mac-max 8 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast adac-non-eap-enableeapol port 1 status auto traffic-control in re-authentication enableeapol port 1 radius-dynamic-server enablelldp port 1 vendor-specific avaya dot1q-framing taggedno adac detection port 1 macadac port 1 tagged-frames-tagging tag-alladac port 1 enablespanning-tree port 1 learning fast
Brocade
ICX6400SeriesThoseswitchesaresupportedusing802.1XfornetworkswithorwithoutVoIP.
Globalconfigsettings:
aaa authentication dot1x default radiusradius-server host 192.168.1.5 auth-port 1812 acct-port 1813 defaultradius-server key useStrongerSecret
vlan 1 name DEFAULT-VLAN by port!vlan 100 by port tagged ethe 1/1/xx ethe 1/1/yy
WherexxandyyrepresenttherangeofportswhereyouwantPacketFenceenforcement.
MAC-AuthenticationwithoutVoIP
EnableMAC-Authenticationglobally
mac-authentication enablemac-authentication mac-vlan-dyn-activation
EnableMAC-AuthenticationoneachinterfaceyouwantPacketFenceactive
mac-authentication enablemac-authentication enable-dynamic-vlan
Chapter4
Copyright2017Inverseinc. Switchconfiguration 19
MAC-AuthenticationwithVoIP
Enablecdpglobally
cdp run
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dual-modemac-authentication enablemac-authentication enable-dynamic-vlanvoice-vlan 100cdp enable
802.1X/MAC-Auth
Enable802.1Xglobally
dot1x-enable re-authentication enable ethe 1/1/xx
Wherexxistheswitchportnumber
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dot1x port-control autodual-modemac-authentication enablemac-authentication enable-dynamic-vlanvoice-vlan 100
RadiusCLILogin
IfyouwanttousetheserverPacketFencetoauthenticateusersontheBrocadeswitch.
ConfiguretheradiusservertosenduserauthenticationrequesttoPacketFence
aaa authentication login default radius local
Note
MakesuretohavealocalaccountincasetheswitchcannotreachthePacketFenceserver
Chapter4
Copyright2017Inverseinc. Switchconfiguration 20
Cisco
PacketFencesupportsCiscoswitcheswithVoIPusingthreedifferenttraptypes:
linkUp/linkDown
MACNotification
PortSecurity(withstaticMACs)
YoualsoneedtomakesurethatlldporcdpnotificationisconfiguredonallportsthatwillhandleVoIP.
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatureslike:
MACAuthentication(CiscosMACAuthenticationBypassorMAB)
802.1X(Multi-HostorMulti-Domain)
Dependingoftheswitchmodel,werecommendtheuseofthemostsecureandreliablefeaturefirst.Inotherwords,youshouldconsiderthefollowingorder:
1. 802.1X/MAB
2. Port-Security
3. linkUp/linkDown
EAP-FASTauthenticationSupportPacketFencesupportsCiscoNEATthroughEAP-MD5,EAP-FAST,EAP-GTCandEAP-MSCHAPv2authenticationmethods.UponsuccessfulauthenticationagainstPacketFence, theauthenticatorswitchwillgivetrunkaccesstothesupplicantswitch.
Here is an official Cisco guide, from which the following configuration derives: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
ThefollowingconfigurationexamplecontainsrequiredchangestobeappliedonbothauthenticatorandsupplicantswitchestoprovideEAP-FASTauthenticationagainstPacketFence.
AuthenticatorGlobalsettings:
aaa group server radius packetfence server 192.168.1.5 auth-port 1812 acct-port 1813aaa authentication dot1x default group packetfenceaaa authorization network default group packetfence
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.htmlhttps://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
Chapter4
Copyright2017Inverseinc. Switchconfiguration 21
cisp enable
Uplinkconfiguration:
interface FastEthernet0/20 switchport mode access authentication port-control auto dot1x pae authenticator
SupplicantGlobalsettings(replaceusernameandpassword):
cisp enable
eap profile EAP_PRO method fast
dot1x credentials EAP_PRO username switches password 7 03174C02120C29495D! Password is switches!dot1x supplicant force-multicast
Uplinksettings:
interface GigabitEthernet1/0/24 switchport mode trunk dot1x pae supplicant dot1x credentials EAP_PRO dot1x supplicant eap profile EAP_PRO
2900XL/3500XLSeriesSNMP|linkUP/linkDownGlobalconfigsettings:
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notificationsnmp-server host 192.168.1.5 trap version 2c public snmp mac-notificationmac-address-table notification interval 0mac-address-table notificationmac-address-table aging-time 3600
Chapter4
Copyright2017Inverseinc. Switchconfiguration 22
OneachinterfacewithoutVoIP:
switchport mode accessswitchport access vlan 4snmp trap mac-notification added
OneachinterfacewithVoIP:
switchport trunk encapsulation dot1qswitchport trunk native vlan 4switchport mode trunkswitchport voice vlan 100snmp trap mac-notification addedsnmp trap mac-notification removed
2950Thoseswitchesarenowsupportedusing802.1XfornetworkswithorwithoutVoIP.Youcanalsouseport-securitywithstaticMACaddressbutwecannotsecureaMAConthedataVLANspecificallysoenableitifthereisnoVoIP,uselinkUp/linkDownandMACnotificationotherwise.SoonsetupthatneedstohandleVoIPwiththisswitch,gowitha802.1Xconfiguration.
802.1X
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskforausernameandpasswordonthenextlogin.
Globalconfigsettings:
dot1x system-auth-control
AAAconfiguration:
aaa new-modelaaa group server radius packetfence server 192.168.1.5 auth-port 1812 acct-port 1813aaa authentication login default localaaa authentication dot1x default group packetfenceaaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2key useStrongerSecretradius-server vsa send authentication
OneachinterfacewithoutVoIP:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 23
switchport access vlan 4switchport mode accessdot1x port-control autodot1x host-mode multi-hostdot1x reauthentication
OneachinterfacewithVoIP:
switchport access vlan 4switchport mode accessswitchport voice vlan 100dot1x port-control autodot1x host-mode multi-hostdot1x reauthentication
Port-Security
CautionWithport-security,ifnoMACisconnectedonportswhenactivatingport-security,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhenanewMACappearsonaport.Ontheotherhand,ifaMACisactuallyconnectedwhenyouenableportsecurity,youmustsecurethisMACratherthanthebogusone.OtherwisethisMACwillloseitsconnectivityinstantly.
GlobalconfigsettingswithoutVoIP:
snmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport mode accessswitchport access vlan 4switchport port-securityswitchport port-security violation restrictswitchport port-security mac-address 0200.0000.00xx
wherexxstandsfortheinterfaceifIndex.
ifIndexmappingUse the following templates for interface IfIndex in bogus MAC addresses(0200.0000.00xx):
Fa0/1,,Fa0/481,,48
Gi0/1,Gi0/249,50
GlobalconfigsettingswithVoIP:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 24
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notificationsnmp-server host 192.168.1.5 trap version 2c public snmp mac-notificationmac-address-table notification interval 0mac-address-table notificationmac-address-table aging-time 3600
OneachinterfacewithVoIP:
switchport voice vlan 100switchport access vlan 4switchport mode accesssnmp trap mac-notification addedsnmp trap mac-notification removed
3550(802.1XwithMAB)
Caution
TheCatalyst3550doesnotsupport802.1XwithMulti-Domain,itcanonlysupport802.1XwithMABusingMulti-Host,MAB,andportsecurity.
Caution
TheCatalyst3550doesnotsupportCoA.MinimalIOSrequiredforCoAis12.2(52)SE.LatestavailableIOSfor3550is12.2(46)SE.Set"DeauthenticationMethod"to"SNMP"in PacketFence Administration GUI under Network Switches for the switch IPconfiguredbelow.
Globalsettings:
dot1x system-auth-controlaaa new-modelaaa group server radius packetfence server 192.168.1.5 auth-port 1812 acct-port 1813aaa authentication login default localaaa authentication dot1x default group packetfenceaaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2 key useStrongerSecretradius-server vsa send authentication
EnableSNMPontheswitch:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/release/notes/OL23054.html
Chapter4
Copyright2017Inverseinc. Switchconfiguration 25
snmp-server community public ROsnmp-server community private RW
Oneachinterface:
switchport mode accessdot1x mac-auth-bypassdot1x pae authenticatordot1x port-control autodot1x violation-mode protectdot1x timeout quiet-period 2dot1x timeout reauth-period 7200dot1x timeout tx-period 3dot1x reauthentication
2960
CautionFor802.1XandMABconfigurations,refertothissectionbelow.
PortSecurityforIOSearlierthan12.2(46)SEGlobalconfigsettings:
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
Chapter4
Copyright2017Inverseinc. Switchconfiguration 26
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
PortSecurityforIOS12.2(46)SEorgreater
SinceversionPacketFence2.2.1, thewaytohandleVoIPwhenusingport-securitydramaticallychanged.Ensurethatyoufollowtheinstructionsbelow.Tomakethestoryshort,insteadonrelyingonthedynamicMAClearningforVoIP,weuseastaticentryonthevoiceVLANsowecantriggeranewsecurityviolation,andthenauthorizethephoneMACaddressonthenetwork.
Globalconfigsettings:
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security maximum 1 vlan voiceswitchport port-security violation restrictswitchport port-security mac-address 0200.010x.xxxx vlan voiceswitchport port-security mac-address 0200.000x.xxxx vlan access
wherexxxxxstandsfortheinterfaceifIndex
Chapter4
Copyright2017Inverseinc. Switchconfiguration 27
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
2960,2970,3560,3750
Note
You shouldnt use any port-security features when doing 802.1X and/or MacAuthentication.Thiscancauseunexpectedbehavior.
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskforausernameandpasswordonthenextlogin.
Globalsettings:
dot1x system-auth-controlaaa new-modelaaa group server radius packetfence server name pfnacaaa authentication login default localaaa authentication dot1x default group packetfenceaaa authorization network default group packetfence
RADIUSserverconfiguration:
radius server pfnac address ipv4 192.168.1.5 auth-port 1812 acct-port 1813 automate-tester username dummy ignore-acct-port idle-time 3 key 0 useStrongerSecret
radius-server vsa send authentication
CoAconfiguration
aaa server radius dynamic-author client 192.168.1.5 server-key useStrongerSecretport 3799
ActivateSNMPv1ontheswitch:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 28
snmp-server community public RO
802.1XwithMACAuthenticationbypass(MultiDomain)
Oneachinterface:
switchport mode accessswitchport voice vlan 100authentication host-mode multi-domainauthentication order dot1x mabauthentication priority dot1x mabauthentication port-control autoauthentication periodicauthentication timer restart 10800authentication timer reauthenticate 10800authentication violation replacemabno snmp trap link-statusdot1x pae authenticatordot1x timeout quiet-period 2dot1x timeout tx-period 3
802.1XwithMACAuthenticationbypass(MultiHost)
Oneachinterface:
switchport mode accessauthentication order dot1x mabauthentication priority dot1x mabauthentication port-control autoauthentication periodicauthentication timer restart 10800authentication timer reauthenticate 7200authentication violation replacemabno snmp trap link-statusdot1x pae authenticatordot1x timeout quiet-period 2dot1x timeout tx-period 3
MACAuthenticationbypassonly
Oneachinterface:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 29
switchport mode accessswitchport voice vlan 100dot1x mac-auth-bypassdot1x pae authenticatordot1x port-control autodot1x timeout tx-period 5dot1x reauthenticationauthentication periodicauthentication timer restart 10800authentication timer reauthenticate 7200authentication violation replacemabno snmp trap link-status
802.1Xonvariousmodelsof2960
TheresalotofdifferentversionsoftheCatalyst2960.Someofthemmaynotacceptthecommandstatedinthisguidefor802.1X.
WehavefoundacoupleofcommandsthatareworkinggreatorMAB:
Oneachinterface
switchport mode accessauthentication order mabauthentication port-control automabdot1x pae authenticator
But,asitisdifficultforustomaintainthewholelistofcommandstoconfigureeachandeverydifferentmodelof2960withdifferentIOS,pleaserefertoCiscodocumentationforveryspecificcases.
Port-SecurityGlobalconfigsettings
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
Chapter4
Copyright2017Inverseinc. Switchconfiguration 30
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
Webauth
TheCatalyst2960supportswebauthenticationfromIOS12.2.55SE3.ThisprocedurehasbeentestedonIOS15.0.2SE5.
Inthisexample,theACLthattriggerstheredirectiontotheportalforregistrationisregistration.
ConfiguretheglobalconfigurationoftheswitchusingthesectionMACAuthenticationbypassonlyofthe2960inthisdocument.
Thenaddthisadditionalconfigurationonthegloballevel
ip device trackingip http serverip http secure-serversnmp-server community public ROsnmp-server community private RW
Addtherequiredaccesslists
ip access-list extended registration deny ip any host permit tcp any any eq www permit tcp any any eq 443
Thenoneachcontrolledinterface
Chapter4
Copyright2017Inverseinc. Switchconfiguration 31
switchport access vlan switchport mode accessauthentication priority mabauthentication port-control autoauthentication periodicauthentication violation replacemabspanning-tree portfast
PacketFenceswitchconfiguration
SelectthetypetoCiscoCatalyst2960
SettheRegistrationroletoregistration(Ifleftemptythenitwillusetherolename)
SetRolebyWebAuthURLforregistrationtohttp:///Cisco::Catalyst_2960
TheURLcancontaindynamicparameters,liketheMACaddress($mac),theswitchIP($switch_ip),theusername($user_name).
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
DownloadableACLs
TheCatalyst2960supportsRADIUSpushedACLswhichmeans thatyoucandefine theACLscentrallyinPacketFencewithoutconfiguringtheminyourswitchesandtheirruleswillbeappliedtotheswitchduringtheauthentication.
TheseACLsaredefinedbyroleliketheVLANswhichmeansyoucandefinedifferentACLsforyourregistrationVLAN,productionVLAN,guestVLAN,etc.
Addthefollowingconfigurationsettingonthegloballevel
ip device tracking
ForIOS12.2,youneedtocreatethisaclandassignittotheswitchportinterface:
ip access-list extended Auth-Default-ACL permit udp any range bootps 65347 any range bootpc 65348 permit udp any any range bootps 65347 permit udp any any eq domain deny ip any any
interface GigabitEthernetx/y/z ... ip access-group Auth-Default-ACL in ...
Beforecontinuing,configureyourswitchtobeinMACauthenticationbypassor802.1X.
NowinthePacketFenceinterfacegointheswitchconfigurationandintheRolestab.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 32
CheckRolebyaccesslistandyoushouldnowbeabletoconfiguretheaccesslistsasbelow.
ForexampleifyouwanttheusersthatareintheregistrationVLANtoonlyuseHTTP,HTTPS,DNSandDHCPyoucanconfigurethisACLintheregistrationcategory.
Nowifforexample,yournormalusersareplacedinthedefaultcategoryandyourguestsintheguestcategory.
Ifforexamplethedefaultcategoryusesthenetwork192.168.5.0/24andyourguestnetworkusesthenetwork192.168.10.0/24.
Youcanpreventcommunicationsbetweenbothnetworksusingtheseaccesslists
Chapter4
Copyright2017Inverseinc. Switchconfiguration 33
Youcouldalsoonlypreventyourguestusersfromusingshareddirectories
Chapter4
Copyright2017Inverseinc. Switchconfiguration 34
OralsoyoucouldrestrictyouruserstouseonlyyourDNSserverwhere192.168.5.2isyourDNSserver
Chapter4
Copyright2017Inverseinc. Switchconfiguration 35
WebauthandDownloadableACLsItspossibletomixwebauthenticationanddownloadableACLsstartingfromversion12.2oftheIOS,eachrolescanbeconfiguredtoforwardthedevicetothecaptiveportalforanhttporanhttpsandonlyallowspecifictrafficwiththeACL.Todothat,youneedtoconfigurePacketFencewithRolebyWebAuthURLandwithRolebyaccesslist(Foreachroleyouneed).OntheswitchyouneedtochangetheAuth-Default-ACLtoaddtheportalIPaddress:
ForIOS12.2:
ip access-list extended Auth-Default-ACL permit udp any range bootps 65347 any range bootpc 65348 permit udp any any range bootps 65347 permit ip any host ip_of_the_captive_portal permit udp any any eq domain deny ip any any
AndassignthisACLontheswitchportyowanttodoACLperport.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 36
interface GigabitEthernetx/y/z ... ip access-group Auth-Default-ACL in ...
ForIOS15.0:
Extended IP access list Auth-Default-ACL 10 permit udp any range bootps 65347 any range bootpc 65348 20 permit udp any any range bootps 65347 30 deny ip any any
conf tip access-list extend Auth-Default-ACL21 permit ip any host ip_of_the_captive_portal
ForIOS15.2:
Extended IP access list Auth-Default-ACL 10 permit udp any any eq domain 20 permit tcp any any eq domain 30 permit udp any eq bootps any 40 permit udp any any eq bootpc 50 permit udp any eq bootpc any 60 deny ip any any
conf tip access-list extend Auth-Default-ACL51 permit ip any host ip_of_the_captive_portal
Stacked29xx,Stacked35xx,Stacked3750,4500Series,6500SeriesThe4500Seriesandallthestackedswitchesworkexactlythesamewayasiftheywerenotstackedsotheconfigurationisthesame:theysupportport-securitywithstaticMACaddressandallowustosecureaMAConthedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhenanewMACappearsonaport.
Globalconfigsettings
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 37
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
OneachinterfacewithVoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses(0200.000x.xxxx):
Fa1/0/1Fa1/0/481000110048
Gi1/0/1Gi1/0/481010110148
Fa2/0/1Fa2/0/481050110548
Gi2/0/1Gi2/0/481060110648
Fa3/0/1Fa3/0/481100111048
Gi3/0/1Gi3/0/481110111148
Fa4/0/1Fa4/0/481150111548
Gi4/0/1Gi4/0/481160111648
IOSXESwitchesPacketFence supports the IOS XE switches in MAC Authentication Bypass, 802.1X and webauthentication.
MACAuthenticationBypassGlobalconfigsettings:
dot1x system-auth-control
Chapter4
Copyright2017Inverseinc. Switchconfiguration 38
Oneachinterface:
authentication host-mode multi-domainauthentication order mabauthentication priority mabauthentication port-control autoauthentication periodicauthentication timer restart 10800authentication timer reauthenticate 10800authentication violation replacemabno snmp trap link-statusdot1x pae authenticatordot1x timeout quiet-period 2dot1x timeout tx-period 3
AAAgroupsandconfiguration:
aaa new-modelaaa group server radius packetfence server 192.168.1.5 auth-port 1812 acct-port 1813aaa authentication login default localaaa authentication dot1x default group packetfenceaaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2 key useStrongerSecretradius-server vsa send authentication
CoAconfiguration:
aaa server radius dynamic-author client 192.168.1.5 server-key useStrongerSecretport 3799
ActivateSNMPontheswitch:
snmp-server community public RO
802.1XonlyFollowthesameconfigurationasforMACAuthenticationBypassbutchangetheauthenticationprioritylinewiththefollowing:
authentication priority dot1x
802.1XwithMACAuthenticationfallbackFollowthesameconfigurationasforMACAuthenticationBypassbutchangetheauthenticationprioritylinewiththefollowing:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 39
authentication priority dot1x mab
Webauth
WebauthrequiresatleastMACAuthenticationBypasstobeactivatedontheswitchportbutcanalsoworkwith802.1X.Configureyourswitchportsasyouwouldusuallydo,thenaddthefollowingaccesslists.
ip access-list extended redirect deny ip any host 192.168.1.5 deny udp any any eq domain deny tcp any any eq domain deny udp any any eq bootpc deny udp any any eq bootps permit tcp any any eq www permit tcp any any eq 443ip access-list extended registered permit ip any any
Globalconfigsettings:
ip device tracking
PacketFenceswitchconfiguration:
SelectthetypetoCiscoCatalyst2960
SettheRegistrationroletoregistration(Ifleftemptythenitwillusetherolename)
SetRolebyWebAuthURLforregistrationtohttp:///Cisco::Catalyst_2960
TheURLcancontaindynamicparameters,liketheMACaddress($mac),theswitchIP($switch_ip),theusername($user_name).
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
Note
AAAauthentication isslowtocomeupafterareloadofthe IOSXEswitches.Thismakestherecoveryfromarebootlongertocomplete.ThisisduetoabuginIOSXE.Aworkaroundistoexecutethefollowingcommandno aaa accounting system defaultstart-stop group tacacs+.
IdentityNetworkingPolicy
Starting from version 15.2(1)E (IOS) and 3.4.0E (IOSXE) , Cisco introduced the Identity BasedNetworkingServices.Itmeansthatyoucancreateanauthenticationworkflowontheswitchandcreateinterfacestemplates.
Toenableit:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 40
authentication display new-style
Globalconfigsettings:
dot1x system-auth-control
AAAgroupsandconfiguration:
aaa new-modelaaa group server radius packetfence server name packetfence!aaa authentication login default localaaa authentication dot1x default group packetfenceaaa authorization network default group packetfenceradius-server vsa send authentication
RADIUSserverconfiguration:
radius-server dead-criteria time 5 tries 4radius-server deadtime 1radius server packetfence address ipv4 192.168.1.5 auth-port 1812 acct-port 1813 key useStrongerSecret automate-tester username cisco ignore-acct-port idle-time 1
CoAconfiguration:
aaa server radius dynamic-author client 192.168.1.5 server-key useStrongerSecretport 3799
EnableSNMPontheswitch:
snmp-server community public RO
EnableHTTPandHTTPSserver:
ip http serverip http secure-server
EnableIPdevicetracking:
ip device tracking
FallbackACL:
ip access-list extended ACL-CRITICAL-V4 permit ip any any
Chapter4
Copyright2017Inverseinc. Switchconfiguration 41
ServiceTemplate:
service-template DEFAULT_LINKSEC_POLICY_MUST_SECUREservice-template DEFAULT_LINKSEC_POLICY_SHOULD_SECUREservice-template DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlanservice-template CRITICAL_AUTH_VLANservice-template CRITICAL-ACCESS description *Fallback Policy on AAA Fail* access-group ACL-CRITICAL-V4!
Classmap:
class-map type control subscriber match-any IN_CRITICAL_AUTHmatch activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATEmatch activated-service-template CRITICAL_AUTH_VLANmatch activated-service-template CRITICAL-ACCESS!class-map type control subscriber match-none NOT_IN_CRITICAL_AUTHmatch activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATEmatch activated-service-template CRITICAL_AUTH_VLANmatch activated-service-template CRITICAL-ACCESS!class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOSTmatch result-type aaa-timeoutmatch authorization-status unauthorized!class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOSTmatch result-type aaa-timeoutmatch authorization-status authorized!class-map type control subscriber match-all DOT1X_NO_RESPmatch method dot1xmatch result-type method dot1x agent-not-found!class-map type control subscriber match-all MAB_FAILEDmatch method mabmatch result-type method mab authoritative!class-map type control subscriber match-all DOT1X_FAILEDmatch method dot1xmatch result-type method dot1x authoritative
Policymap:
On the 3 following configurations if the RADIUS server is down then we will applyCRITICAL_AUTH_VLAN,DEFAULT_CRITICAL_VOICE_TEMPLATEandCRITICAL-ACCESSservicetemplate. If theRADIUS server goes up then it reinitializes the authentication if the port is inIN_CRITICAL_VLAN.
for802.1XwithMACAuthenticationfallback:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 42
policy-map type control subscriber DOT1X_MAB event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 authorize 50 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 pause reauthentication 50 authorize 30 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class MAB_FAILED do-until-failure 10 terminate mab 20 authentication-restart 10800 60 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 10800 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE event violation match-all 10 class always do-all 10 replace
forMACAuthenticationonly:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 43
policy-map type control subscriber MACAUTH event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 10 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 authorize 50 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 pause reauthentication 50 authorize 30 class always do-until-failure 10 terminate mab 20 authentication-restart 30 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
for802.1Xonly:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 44
policy-map type control subscriber DOT1X event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 authorize 50 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 30 activate service-template CRITICAL-ACCESS 40 pause reauthentication 50 authorize 30 class DOT1X_FAILED do-until-failure 10 terminate dot1x 40 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 60 class always do-until-failure 10 terminate dot1x 20 authentication-restart 10800 event agent-found match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
InterfaceTemplate(802.1XMACAuthentication):
Chapter4
Copyright2017Inverseinc. Switchconfiguration 45
template identity-template-mab dot1x pae authenticator spanning-tree portfast edge switchport access vlan 1 switchport mode access switchport voice vlan 100 mab access-session host-mode multi-domain access-session control-direction in access-session closed access-session port-control auto authentication periodic authentication timer reauthenticate server service-policy type control subscriber DOT1X_MAB
InterfaceTemplate(MACAuthentication):
template identity-template-macauth dot1x pae authenticator spanning-tree portfast edge switchport access vlan 1 switchport mode access switchport voice vlan 100 mab access-session host-mode single-host access-session control-direction in access-session closed access-session port-control auto authentication periodic authentication timer reauthenticate server service-policy type control subscriber MACAUTH
InterfaceTemplate(802.1X):
template identity-template-dot1x dot1x pae authenticator spanning-tree portfast edge switchport access vlan 1 switchport mode access switchport voice vlan 100 mab access-session host-mode single-host access-session control-direction in access-session closed access-session port-control auto authentication periodic authentication timer reauthenticate server service-policy type control subscriber DOT1X
Oneachinterfacefor802.1XwithMACAuthentication:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 46
source template identity-template-mabdot1x timeout tx-period 5
OneachinterfaceforMACAuthentication:
source template identity-template-macauth
Oneachinterfacefor802.1X:
source template identity-template-dot1xdot1x timeout tx-period 5
Toseewhatisthestatusofaportletsrun:
sh access-session interface fastEthernet 0/2 details Interface: FastEthernet0/2 MAC Address: 101f.74b2.f6a5 IPv6 Address: Unknown IPv4 Address: 172.20.20.49 User-Name: ACME\bob Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: in Session timeout: 12380s (server), Remaining: 12206s Timeout action: Terminate Common Session ID: AC1487290000000C000F8B7A Acct Session ID: Unknown Handle: 0x9C000001 Current Policy: DOT1X_MAB
Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies: Vlan Group: Vlan: 20 Idle timeout: 30 sec
Method status list: Method State
dot1x Authc Success
Debugcommand:
InordertobeabletodebugtheIdentityNetworkingPolicyyoucanlaunchthefollowingcommandintheswitchcli:
term mondebug pre all
Chapter4
Copyright2017Inverseinc. Switchconfiguration 47
DHCPOption82InordertoenabletheDHCPOption82,youneedtoaddthefollowingparameters.Letssayyouwanttoenableitforthevlan1to1024:
ip dhcp snoopingip dhcp snooping vlan 1-1024
Onuplinkinterfaces:
ip dhcp snooping trust
RouterISR1800SeriesPacketFencesupportsthe1800seriesRouterwithlinkUp/linkDowntraps.Itcannotdoanythingabouttherouterinterfaces(ie:fa0andfa1ona1811).VLANinterfacesifIndexshouldalsobemarkedasuplinks inthePacketFenceswitchconfigurationastheygeneratetrapsbutareofnointeresttoPacketFence(layer3).
Globalconfigsettings:
snmp-server enable traps snmp linkdown linkupsnmp-server host 192.168.1.5 trap version 2c public
Oneachinterface:
switchport mode accessswitchport access vlan 4
D-Link
PacketFencesupportsD-LinkswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACNotification
WerecommendtoenablelinkUp/linkDownandMACnotificationtogether.
Dontforgettoupdatethestartupconfig!
DES3526/3550Globalconfigsettings
To be contributed...
Oneachinterface:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 48
To be contributed...
DGS3100/3200EnableMACnotification:
enable mac_notificationconfig mac_notification interval 1 historysize 1config mac_notification ports 1:1-1:24 enable
Enablelinkup/linkdownnotification:
enable snmp trapsenable snmp linkchange_traps
AddSNMPhost:
create snmp host 192.168.1.5 v2c public
EnableMACbaseaccesscontrol:
enable mac_based_access_controlconfig mac_based_access_control authorization attributes radius enable local disableconfig mac_based_access_control method radiusconfig mac_based_access_control password useStrongerSecretconfig mac_based_access_control password_type manual_stringconfig mac_based_access_control max_users no_limitconfig mac_based_access_control trap state enableconfig mac_based_access_control log state enable
Oneachinterface:
config mac_based_access_control ports 1:1 state enableconfig mac_based_access_control ports 1:1 max_users 128config mac_based_access_control ports 1:1 aging_time 1440config mac_based_access_control ports 1:1 block_time 300config mac_based_access_control ports 1:1 mode host_based
Dell
Force10PacketFencesupportsthisswitchusingRADIUS,MAC-Authenticationand802.1X.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 49
Globalconfigsettings
radius-server host 192.168.1.5 key s3cr3t auth-port 1812
MABinterfaceconfiguration:
interface GigabitEthernet 0/1 no ip address switchport dot1x authentication dot1x mac-auth-bypass dot1x auth-type mab-only no shutdown
802.1Xinterfaceconfiguration:
interface GigabitEthernet 0/1 no ip address switchport dot1x authentication no shutdown
PowerConnect3424PacketFencesupportsthisswitchusinglinkUp/linkDowntraps.
Globalconfigsettings
To be contributed...
Oneachinterface:
To be contributed...
EdgecorE
PacketFencesupportsEdge-corEswitcheswithoutVoIPusinglinkUp/linkDowntraps.
PacketFencealsosupportsMACauthenticationontheEdge-corE4510
3526XAand3528MGlobalconfigsettings
Chapter4
Copyright2017Inverseinc. Switchconfiguration 50
SNMP-server host 192.168.1.5 public version 2c udp-port 162
4510
Basicconfiguration
network-access agingsnmp-server community private rwsnmp-server community public rw
radius-server 1 host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 5 retransmit 2 key useStrongerSecretradius-server key useStrongerSecret
Oneachcontrolledinterface
interface ethernet 1/8 switchport allowed vlan add untagged network-access max-mac-count 1 network-access mode mac-authentication!
Enterasys
PacketFencesupportsEnterasysswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACLocking(PortSecuritywithstaticMACs)
WerecommendtoenableMAClockingonly.
Dontforgettoupdatethestartupconfig!
MatrixN3linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.Also,bydefaultthisswitchdoesntdoanelectricallow-levellinkDownwhensettingtheporttoadmindown.Soweneedtoactivateaglobaloptioncalledforcelinkdowntoenablethisbehavior.Withoutthisoption,clientsdontunderstandthattheylosttheirconnectionandtheyneverdoanewDHCPonVLANchange.
Globalconfigsettings
Chapter4
Copyright2017Inverseinc. Switchconfiguration 51
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2cset snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enableset forcelinkdown enable
Oneachinterface:
set port trap ge.1.xx disableset maclock enable ge.1.xxset maclock static ge.1.xx 1set maclock firstarrival ge.1.xx 0set maclock trap ge.1.xx enable
wherexxstandsfortheinterfaceindex.
SecureStackC2linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2cset snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
Oneachinterface:
set port trap fe.1.xx disableset maclock enable fe.1.xxset maclock static fe.1.xx 1set maclock firstarrival fe.1.xx 0
wherexxstandsfortheinterfaceindex
SecureStackC3ThisswitchhastheparticularfeatureofallowingmorethanoneuntaggedegressVLANperport.ThismeansthatyoumustaddalltheVLANcreatedforPacketFenceasuntaggedegressVLANontherelevantinterfaces.ThisiswhythereisaVLANcommandoneachinterfacebelow.
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
Chapter4
Copyright2017Inverseinc. Switchconfiguration 52
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2cset snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
Oneachinterface:
set vlan egress 1,2,3 ge.1.xx untaggedset port trap ge.1.xx disableset maclock enable ge.1.xxset maclock static ge.1.xx 1set maclock firstarrival ge.1.xx 0set maclock trap ge.1.xx enable
wherexxstandsfortheinterfaceindex
StandaloneD2linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Caution
ThisswitchSwitchacceptsmultipleuntaggedVLANperportwhenconfiguredthroughSNMP.ThisisproblematicbecauseonsomeoccasionstheuntaggedVLANportlistcanbecomeinconsistentwiththeswitchsrunningconfig.Tofixthat,clearalluntaggedVLANsofaporteveniftheCLI interfacedoesntshowthem.Todoso,use:clearvlan egress
Globalconfigsettings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2cset snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
Oneachinterface:
set port trap ge.1.xx disableset maclock enable ge.1.xxset maclock static ge.1.xx 1set maclock firstarrival ge.1.xx 0set maclock trap ge.1.xx enable
wherexxstandsfortheinterfaceindex
Chapter4
Copyright2017Inverseinc. Switchconfiguration 53
ExtremeNetworks
PacketFencesupportsExtremeNetworksswitchesusing:
linkUp/linkDown
MACAddressLockdown(PortSecurity)
Netlogin-MACAuthentication
Netlogin-802.1X
Dontforgettosavetheconfiguration!
AllExtremeXOSbasedswitchesInadditiontotheSNMPandVLANssettings,thisswitchneedstheWebServicestobeenabledandanadministrativeusernameandpasswordprovidedinitsPacketFenceconfigurationforWebServices.
MACAddressLockdown(Port-Security)linkUp/linkDown traps are enabled by default so we disable them and enable MAC AddressLockdownonly.
GlobalconfigsettingswithoutVoiceoverIP(VoIP):
enable snmp accessconfigure snmp add trapreceiver 192.168.1.5 community publicenable web httpconfigure vlan "Default" delete ports configure vlan registration add ports untaggedconfigure ports vlan registration lock-learningdisable snmp traps port-up-down ports
whereareportsyouwanttosecure.Itcanbeanindividualportoraport-rangewithadash.
GlobalconfigsettingswithVoiceoverIP(VoIP):
enable snmp accessconfigure snmp add trapreceiver 192.168.1.5 community publicenable web httpconfigure vlan "Default" delete ports configure vlan registration add ports untaggedconfigure vlan voice add ports taggedconfigure ports vlan registration lock-learningconfigure ports vlan voice limit-learning 1disable snmp traps port-up-down ports
Chapter4
Copyright2017Inverseinc. Switchconfiguration 54
whereareportsyouwanttosecure.Itcanbeanindividualportoraport-rangewithadash.
MACAuthentication
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr VR-Defaultconfigure radius netlogin primary shared-secret 12345enable radius netlogin
Netlogin(MACAuthentication)
configure netlogin vlan tempenable netlogin macconfigure netlogin add mac-list defaultconfigure netlogin dynamic-vlan enableconfigure netlogin dynamic-vlan uplink-ports 50configure netlogin mac authentication database-order radiusenable netlogin ports 1-48 macconfigure netlogin ports 1-48 mode port-based-vlansconfigure netlogin ports 1-48 no-restart
802.1X
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr VR-Defaultconfigure radius netlogin primary shared-secret 12345enable radius netlogin
Netlogin(802.1X)
configure netlogin vlan tempenable netlogin dot1xconfigure netlogin dynamic-vlan enableconfigure netlogin dynamic-vlan uplink-ports 50enable netlogin ports 1-48 dot1xconfigure netlogin ports 1-48 mode port-based-vlansconfigure netlogin ports 1-48 no-restart
Note
YoucanmixtheMACAuthenticationand802.1Xonthesameswitchport.Ifthedevicefails802.1Xauthentication,itwillrollbacktotheMACAuthentication.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 55
Foundry
FastIron4802PacketFencesupportthisswitchwithoptionalVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
Thoseswitchessupportport-securitywithstaticMACaddressandallowustosecureaMAConthedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhenanewMACappearsonaport.
Globalconfigsettings
snmp-server host 192.168.1.5 publicno snmp-server enable traps link-downno snmp-server enable traps link-up
OneachinterfacewithoutVoIP:
int eth xx port security enable maximum 1 secure 0200.0000.00xx 0 violation restrict
wherexxstandsfortheinterfaceifIndex.
WithVoIPalittlemoreworkneedstobeperformed.Insteadoftheno-VoIP,putinthefollowingconfig:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 56
conf tvlan untagged eth xxvlan tagged eth xx
int eth xx dual-mode port security maximum 2 secure 0200.00xx.xxxx secure 0200.01xx.xxxx violation restrict enable
wherexxxxxxstandsfortheinterfacenumber(filledwithzeros),withyourvoice-VLANnumberandwithyourmac-detectionVLANnumber.
Huawei
AC6605ControllerPacketFencesupportsthiscontrollerwiththefollowingtechnologies:
Wireless802.1X
WirelessMACAuthentication
Controllerconfiguration
SetupNTPserver:
system-view[AC] ntp-service unicast-server 208.69.56.110
Setuptheradiusserver(@IPofPacketFence)authentication+accounting:
Note
InthisconfigurationIwillusetheipaddressoftheVIPofPacketFence:192.168.1.2;RegistrationVLAN:145,IsolationVLAN:146
Chapter4
Copyright2017Inverseinc. Switchconfiguration 57
system-view[AC] radius-server template radius_packetfence[AC-radius-radius_packetfence] radius-server authentication 192.168.1.2 1812 weight 80[AC-radius-radius_packetfence] radius-server accounting 192.168.1.2 1813 weight 80[AC-radius-radius_packetfence] radius-server shared-key cipher s3cr3t[AC-radius-radius_packetfence] undo radius-server user-name domain-included[AC-radius-radius_packetfence] quit[AC] radius-server authorization 192.168.1.2 shared-key cipher s3cr3t server-group radius_packetfence[AC] aaa[AC-aaa] authentication-scheme radius_packetfence[AC-aaa-authen-radius_packetfence] authentication-mode radius[AC-aaa-authen-radius_packetfence] quit[AC-aaa] accounting-scheme radius_packetfence[AC-aaa-accounting-radius_packetfence] accounting-mode radius[AC-aaa-accounting-radius_packetfence] quit
[AC-aaa] domain your.domain.com[AC-aaa-domain-your.domain.com] authentication-scheme radius_packetfence[AC-aaa-domain-your.domain.com] accounting-scheme radius_packetfence[AC-aaa-domain-your.domain.com] radius-server radius_packetfence[AC-aaa-domain-your.domain.com] quit[AC-aaa] quit
CreateanSecuredot1xSSID
Activatethedotxglobally:
system-view[AC] dot1x enable
Createyoursecuredot1xssid:
ConfigureWLAN-ESS0interfaces:
[AC] interface Wlan-Ess 0[AC-Wlan-Ess0] port hybrid untagged vlan 145 to 146[AC-Wlan-Ess0] dot1x enable[AC-Wlan-Ess0] dot1x authentication-method eap[AC-Wlan-Ess0] permit-domain name your.domain.com[AC-Wlan-Ess0] force-domain name your.domain.com[AC-Wlan-Ess0] default-domain your.domain.com[AC-Wlan-Ess0] quit
ConfigureAPparameters:
ConfigureradiosforAPs:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 58
[AC] wlan[AC-wlan-view] wmm-profile name huawei-ap[AC-wlan-wmm-prof-huawei-ap] quit[AC-wlan-view] radio-profile name huawei-ap[AC-wlan-radio-prof-huawei-ap] radio-type 80211gn[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap[AC-wlan-radio-prof-huawei-ap] quit[AC-wlan-view] ap 1 radio 0[AC-wlan-radio-1/0] radio-profile name huawei-apWarning: Modify the Radio type may cause some parameters of Radio resume default value, are you sure to continue?[Y/N]: y[AC-wlan-radio-1/0] quit
Configure a security profile named huawei-ap. Set the security policy toWPA authentication,authenticationmethodto802.1X+PEAP,andencryptionmodetoCCMP:
[AC-wlan-view] security-profile name huawei-ap-wpa2[AC-wlan-sec-prof-huawei-ap-wpa2] security-policy wpa2[AC-wlan-sec-prof-huawei-ap-wpa2] wpa-wpa2 authentication-method dot1x encryption-method ccmp[AC-wlan-sec-prof-huawei-ap-wpa2] quit
Configureatrafficprofile:
[AC-wlan-view] traffic-profile name huawei-ap[AC-wlan-wmm-traffic-huawei-ap] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
[AC-wlan-view] service-set name PacketFence-dot1x[AC-wlan-service-set-PacketFence-dot1x] ssid PacketFence-Secure[AC-wlan-service-set-PacketFence-dot1x] wlan-ess 0[AC-wlan-service-set-PacketFence-dot1x] service-vlan 1[AC-wlan-service-set-PacketFence-dot1x] security-profile name huawei-ap-wpa2[AC-wlan-service-set-PacketFence-dot1x] traffic-profile name huawei-ap[AC-wlan-service-set-PacketFence-dot1x] forward-mode tunnel[AC-wlan-service-set-PacketFence-dot1x] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0[AC-wlan-radio-1/0] service-set name PacketFence-dot1x[AC-wlan-radio-1/0] quit[AC-wlan-view] commit ap 1
CreateyourOpenssidActivatethemac-authglobally:
Chapter4
Copyright2017Inverseinc. Switchconfiguration 59
system-view[AC] mac-authen[AC] mac-authen username macaddress format with-hyphen[AC] mac-authen domain your.domain.com
CreateyourOpenssid:
ConfigureWLAN-ESS1interfaces:
[AC] interface Wlan-Ess 1[AC-Wlan-Ess1] port hybrid untagged vlan 145 to 146[AC-Wlan-Ess1] mac-authen[AC-Wlan-Ess1] mac-authen username macaddress format without-hyphen[AC-Wlan-Ess1] permit-domain name your.domain.com[AC-Wlan-Ess1] force-domain name your.domain.com[AC-Wlan-Ess1] default-domain your.domain.com[AC-Wlan-Ess1] quit
ConfigureAPparameters:
Configureasecurityprofilenamedhuawei-ap-wep.SetthesecuritypolicytoWEPauthentication.
[AC]wlan[AC-wlan-view] security-profile name huawei-ap-wep[AC-wlan-sec-prof-huawei-ap-wep] security-policy wep[AC-wlan-sec-prof-huawei-ap-wep] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
[AC-wlan-view] service-set name PacketFence-WEP[AC-wlan-service-set-PacketFence-WEP] ssid PacketFence-Open[AC-wlan-service-set-PacketFence-WEP] wlan-ess 1[AC-wlan-service-set-PacketFence-WEP] service-vlan 1[AC-wlan-service-set-PacketFence-WEP] security-profile name huawei-ap-wep[AC-wlan-service-set-PacketFence-WEP] traffic-profile name huawei-ap (already created before)[AC-wlan-service-set-PacketFence-WEP] forward-mode tunnel[AC-wlan-service-set-PacketFence-WEP] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0[AC-wlan-radio-1/0] service-set name PacketFence-WEP[AC-wlan-radio-1/0] quit[AC-wlan-view] commit ap 1
Chapter4
Copyright2017Inverseinc. Switchconfiguration 60
H3C
S5120SwitchseriesPacketFencesupportstheseswitcheswiththefollowingtechnologies:
802.1X(withorwithoutVoIP)
802.1XwithMACAuthenticationfallback(withorwithoutVoIP)
MACAuthentication(withorwithoutVoIP)
802.1XRADIUSschemecreation:
radius scheme packetfenceprimary authentication 192.168.1.5 1812 key useStrongerSecretprimary accounting 192.168.1.5 1813 key useStrongerSecretuser-name-format without-domain
ISP-Domaincreation:
domain packetfenceauthentication default radius-scheme packetfenceauthentication lan-access radius-scheme packetfenceauthorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agentsnmp-agent community read publicsnmp-agent community write privatesnmp-agent sys-info version v2c
Globalconfiguration:
port-security enabledot1x authentication-method eap
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
undo voice vlan security enablelldp compliance cdp
Chapter4
Copyright2017Inverseinc. Switchconfiguration 61
Interfacesconfiguration:
port link-type hybridport hybrid vlan 5 untaggedport hybrid pvid vlan 5mac-vlan enablestp edged-port enableport-security max-mac-count 1port-security port-mode userlogin-secureport-security intrusion-mode blockmacdot1x re-authenticatedot1x max-user 1dot1x guest-vlan 5undo dot1x handshakedot1x mandatory-domain packetfenceundo dot1x multicast-trigger
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
port hybrid vlan 100 taggedundo voice vlan mode autovoice vlan 100 enablelldp compliance admin-status cdp txrxport-security max-mac-count 3dot1x max-user 2
802.1XwithMACAuthenticationfallbackSinceusingMACAuthenticationasafallbackof802.1X,usetheprevious802.1Xconfigurationandaddthefollowings.
ThisconfigurationisthesamewithorwithoutVoIP.
Globalconfiguration:
mac-authentication domain packetfence
Interfacesconfiguration:
mac-authentication guest-vlan 5port-security port-mode userlogin-secure-or-mac
MACAuthenticationRADIUSschemecreation:
radius scheme packetfenceprimary authentication 192.168.1.5 1812 key useStrongerSecretprimary accounting 192.168.1.5 1813 key useStrongerSecretuser-name-format without-domain
Chapter4
Copyright2017Inverseinc. Switchconfiguration 62
ISP-Domaincreation:
domain packetfenceauthentication default radius-scheme packetfenceauthentication lan-access radius-scheme packetfenceauthorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agentsnmp-agent community read publicsnmp-agent community write privatesnmp-agent sys-info version v2c
Globalconfiguration:
port-security enablemac-authentication domain packetfence
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
undo voice vlan security enablelldp compliance cdp
Interfacesconfiguration:
port link-type hybridport hybrid vlan 5 untaggedport hybrid pvid vlan 5mac-vlan enablestp edged-port enablemac-authentication guest-vlan 5port-security max-mac-count 1port-security port-mode mac-authenticationport-security intrusion-mode blockmac
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
port hybrid vlan 100 taggedundo voice vlan mode autovoice vlan 100 enablelldp compliance admin-status cdp txrxport-security max-mac-count 3
Chapter4
Copyright2017Inverseinc. Switchconfiguration 63
HP
E4800GandE5500GSwitchseriesThesearere-branded3Comswitches,seeunderthe3Comsectionfortheirdocumentation.
HPProCurve
PacketFencesupportsProCurveswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
NoteHPProCurveonlysendsonesecuritytraptoPacketFencepersecurityviolationsomakesurePacketFencerunswhenyouconfigureport-security.Also,becauseoftheabove limitation, it is consideredgoodpractice to reset the intrusion flagasa firsttroubleshootingstep.
If youwant to learnmore about intrusion flag and port-security, please refer to the ProCurvedocumentation.
CautionIfyouconfigureaswitchthatisalreadyinproductionbecarefulthatenablingport-securitycausesactiveMACaddressestobeautomaticallyaddedtotheintrusionlistwithoutasecuritytrapsenttoPacketFence.ThisisundesiredbecausePacketFencewillnotbenotifiedthatitneedstoconfiguretheport.Asawork-around,unplugclientsbeforeactivatingport-securityorremovethe intrusionflagafteryouenabledport-securitywith:port-security clear-intrusion-flag.
2500SerieslinkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2500s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhenanewMACappearsonaport.
Chapter4
Copyright2017Inverseinc. Switchconfiguration 64
Globalconfigsettings:
snmp-server community "public" Unrestrictedsnmp-server host 192.168.1.5 "public" Not-INFOno snmp-server enable traps link-change 1-26
Oneachinterface:
port-security xx learn-mode static action send-alarm mac-address 0200000000xx
wherexxstandsfortheinterfaceindex
CLIauthenticationYoucanusePacketFenceforRADIUSCLIauthenticationonthe2500Series.
Globalconfigsettings
radius-server host 192.168.1.5 key useStrongerSecretaaa authentication ssh login radius localaaa authentication telnet login radius local
Next, make sure you configure the switch in PacketFence accordingly as well as the properadministrativeaccess.RefertotheAdministrationGuideformoredetails.
2600Seriesand3400clSeriesPort-SecuritylinkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2600s,wedontneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhenanewMACappearsonaport.
Globalconfigsettings
snmp-server community public manager unrestrictedsnmp-server host 192.168.1.5 "public" Not-INFOno snmp-server enable traps link-change 1-26
Oneachinterface:
port-security xx learn-mode configured action send-alarm
wherexxstandsfortheinterfaceindex
MACAuthentication(Firmware>11.72)InordertoenableRADIUSmacauthenticationontheports,youfirstneedtojointheportstoeithertheregistrationorthemacdetectionvlan(asasecuritymeasure).
Chapter4
Copyright2017Inverseinc. Switchconfiguration 65
Next,definetheRADIUSserverhost:
radius-server host 192.168.1.5 key useStrongerSecret
Next,wecreateaserver-groupthatpointstothePacketFenceserver,
aaa server-group radius "packetfence" host 192.168.1.5
ConfiguretheAAAauthenticationforMACauthenticationtousetherightserver-group:
aaa authentication mac-based chap-radius server-group "packetfence"
Optionally,youcanconfiguretheSSHandtelnetauthenticationtopointtoPacketFence(makesureyoualsofollowinstructionsintheAdministrationGuidetoactivatetheCLIaccess):
aaa authentication ssh login radius server-group packetfence localaaa authentication telnet login radius server-group packetfence local
Finally,enableMACauthenticationonallnecessaryports:
aaa port-access mac-based 1-24
Dontforgettopermitaddressmovesandthereauthperiod.xrepresentstheportindex:
aaa port-acces