Switch configuration to support AAA

This page describes switch configuration commands necessary to implement AAA (via ISE), profiling, monitoring and failover functionality.
The switch command lines will have explanation of performed functions and a bit more details and real life switch outputs.

=== common commands for a whole switch ===

ip access-list extended ACL-ALLOW   == for the purpose or PoC we can allow all traffic;
permit ip any any

=====================================================================
if you provide limited access for DHCP, DNS, Ping, TFTP for Low-impact ISE implementation mode, the bellow ACL is created to allow certain packets thru switch port even before authentication occurs:

ip access-list extended PRE-AUTH
L3-SWITCH(config-ext-nacl)# remark NTP
L3-SWITCH(config-ext-nacl)# permit udp any any eq 123
L3-SWITCH(config-ext-nacl)# remark DHCP
L3-SWITCH(config-ext-nacl)# permit udp any eq bootpc any eq bootps
L3-SWITCH(config-ext-nacl)# remark DNS
L3-SWITCH(config-ext-nacl)# permit udp any host 10.10.1.25 eq domain
L3-SWITCH(config-ext-nacl)# remark Ping
L3-SWITCH(config-ext-nacl)# permit icmp any any echo
L3-SWITCH(config-ext-nacl)# remark PHONE-TFTP
L3-SWITCH(config-ext-nacl)# permit udp any any eq tftp
L3-SWITCH(config-ext-nacl)# remark Stop – Drop – and Log
L3-SWITCH(config-ext-nacl)# deny ip any any log
L3-SWITCH(config-ext-nacl)# exit
=====================================================================

aaa new-model

aaa authentication dot1x default group radius
==sets the authentication lists for IEEE 802.1x; default authentication list with server groups that use all radius hosts
aaa authorization network default group radius
==in order for a switch to honor the authorization response sent by ISE
aaa accounting dot1x default start-stop group radius
==use default accounting group and records start and stop without waiting, use
server groups with list of all radius hosts
aaa server radius dynamic-author ==profile for local radius server for RFC 3576 support
 client <ISE1_IP_ADDRESS> server-key <RADIUS_KEY>
               client <ISE2_IP_ADDRESS> server-key <RADIUS_KEY>
               auth-type any
aaa session-id common                
==
aaa session id is common ID
ip dhcp snooping
ip device tracking
== besides other thing, this line is used by switch to substitute the
dACL source address of ANY to the specific IP address of the host for which this dACL is intended. The tracking command allowed switch to examine ARP packets in order to map ip addresses to MACs as well as to ports and VLANs and put it all in a nice table for viewing
dot1x system-auth-control
== enables SysAuthControl
errdisable recovery cause security-violation
 == enable error disable recovery for application and enable timer to recover from 802.1x security violation 
errdisable recovery interval 30
== errordisable recovery interval in seconds

=== Interface specific commands,
must be applied to any interface where AAA is required ====

interface <INTERFACE>
ip access-group <ACL-ALLOW> in
authentication event fail action next-method
== 
required action for failed authentication is to move to next  authentication method
authentication event server dead action authorize
== 
if ISE server is not reachable – authorize the port
authentication event server dead action authorize voice
== 
if ISE server is not reachable – authorize port for VOICE traffic
authentication event server alive action reinitialize
== 
when server comes online reinitialize all authorized clients
authentication host-mode multi-domain
== 
define the mode of the interface, single- host, multi—host, multi-auth, multi-domain. Multidomain authc allows both data and voice device to authenticate on the same switch port.
authentication open
== 
this line allows all unauthenticated traffic to flow through the
port but traffic will then be subject to the interface ACL restricting access. With auth open, the port is in Monitor mode
authentication order dot1x mab
== 
adding authentication method to the order list
authentication priority dot1x mab
== 
add authentication method to the priority list
authentication port-control auto
== 
set the port-control value to auto – PortState set to automatic
authentication periodic
== 
configure periodic re-authentications on the interface
authentication timer reauthenticate server
== 
the timer keyword allows ISE to control the re-authentication timer value
authentication violation replace
== 
configure action to take on security violations to replace existing session
mab
== 
MAC Authentication Bypass interface commands
dot1x pae authenticator
== 
sets the personality of the interface to process EAP packets and forward them to radius
dot1x timeout tx-period 8
== 
timeout for supplicant retries
ip radius source-interface <INTERFACE>
==
define which interface will communicate with ISE
snmp-server community <SNMP_COMMUNITY> RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
== 
enables mac-
notification
trap; change enables snmp change trap, move – enable snmp move trap, threshold enables MAC threshold traps

snmp-server host ISE1_IP_Address version 2c SNMP_COMMUNITY mac-notification    == Allow snmp MAC notification traps
snmp-server host ISE2_IP_Address version 2c SNMP_COMMUNITY mac-notification
radius-server attribute 6 on-for-login-auth
== 
attribute6 is service-type attribute,  sending attribute 6 in authentication packet
radius-server attribute 8 include-in-access-req
== 
attribute 8 is framed IP address         attribute, sending attribute 8 in access-req packet
radius-server attribute 25 access-request include
== 
attribute 25 is a class                       attribute,  included in access-request packet
radius-server dead-criteria time 3 tries 2
== 
set the criteria used to decide when a
radius server is marked dead, time 3 ==the time during which                                                     no properly formed response must be received from the Radius server; tries 2 – the number of times the router must  fails to receive a response from radius server to mark it as dead
radius server <ISE1>
                 address ipv4 <ISE1_IP_ADDRESS> auth-port 1812 acct-port 1813
                 key <RADIUS_KEY>
radius server <ISE2>
                 address ipv4 <ISE2_IP_ADDRESS> auth-port 1812 acct-port 1813
                 key <RADIUS_KEY>
radius-server vsa send accounting
== 
in order for a switch to honor the authorization response sent by ISE
radius-server vsa send authentication
== 
in order for a switch to honor the authorization response sent by ISE
device-sensor accounting                        
== 
IOS sensor commands, triggers accounting updates with sensor TLVs/Options
device-sensor notify all-changes
== 
option when to trigger identity update events

 

So, these are all command you need to have AAA setup on switch.

There are some preparation work that have to be done on ISE we will cover later.

 

For easy reading and application, here are just commands:

ip access-list extended ACL-ALLOW
permit ip any any
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
server groups with list of all radius hosts
aaa server radius dynamic-author
client <ISE1_IP_ADDRESS> server-key <RADIUS_KEY>
client <ISE2_IP_ADDRESS> server-key <RADIUS_KEY>
auth-type any
aaa session-id common
ip dhcp snooping
ip device tracking
dot1x system-auth-control
errdisable recovery cause security-violation
errdisable recovery interval 30

ip radius source-interface <INTERFACE>
snmp-server community <SNMP_COMMUNITY> RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host ISE1_IP_Address version 2c SNMP_COMMUNITY mac-notification
snmp-server host ISE2_IP_Address version 2c SNMP_COMMUNITY mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 3 tries 2
radius server <ISE1>
   address ipv4 <ISE1_IP_ADDRESS> auth-port 1812 acct-port 1813
   key <RADIUS_KEY>
radius server <ISE2>
   address ipv4 <ISE2_IP_ADDRESS> auth-port 1812 acct-port 1813
   key <RADIUS_KEY>
radius-server vsa send accounting
radius-server vsa send authentication
device-sensor accounting
device-sensor notify all-changes

=== Interface specific commands ===

interface <INTERFACE>
ip access-group <ACL-ALLOW> in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 8

 

 

Advertisements