CCIE Security lab: A little AAA, a little MAB and a lot of patience


I had a little bit of time today, between dropping the kids off at nursery and picking the wife up from the airport, so I thought I'd have a little play with my new 3750-X switch, which arrived yesterday. It's the biggest expense so far in this study, and cost £899, so I really hope it's suitable for the CCIE Security!

It came with IOS 12.2, so the first thing to do is to upgrade to a newer version.
3750X#sh ver | i IOS
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
3750X#
Once I had added the commands for "ip ftp username" and "ip ftp password", I was able to load the tar file from FTP:
3750X#archive download-sw /overwrite /reload ftp://192.168.1.76/c3750e-universalk9-tar.150-2-SE8.tar
The upgrade process takes a while, probably about 20-30 mins, but once it's done, we have a much newer version:
3750X#sh ver | i IOS
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE8, RELEASE SOFTWARE (fc1)
3750X#
I also bumped up the license, using the Right To Use method:
3750X#show license
Index 1 Feature: ipservices
        Period left: Life time
        License Type: PermanentRightToUse
        License State: Active, In Use
        License Priority: High
        License Count: Non-Counted

Index 2 Feature: ipbase
        Period left: Life time
        License Type: Permanent
        License State: Active, Not in Use
        License Priority: Medium
        License Count: Non-Counted

Index 3 Feature: lanbase
        Period left: 0  minute  0  second

3750X#
The next part was to make sure that I had access to the commands I would be needing later on, so, let's have a look for "mab", "authentication" and "dot1x" under the interface commands:
3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions

3750X(config-if)#auth
3750X(config-if)#auth?
% Unrecognized command
3750X(config-if)#mab
                   ^
% Invalid input detected at '^' marker.

3750X(config-if)#exi
Nothing there. Let's start by enabling "aaa new-model". This enables the more granular functions of AAA, and is exactly what we are looking for. Does this help now?
3750X(config)#aaa new-model
3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions
  cdp                     CDP interface subcommands
  channel-group           Etherchannel/port bundling configuration
  channel-protocol        Select the channel protocol (LACP, PAgP)
  crypto                  Encryption/Decryption commands
  cts                     Configure Cisco Trusted Security
  dampening               Enable event dampening
  datalink                Interface Datalink commands
  default                 Set a command to its defaults
  delay                   Specify interface throughput delay
  description             Interface specific description
  down-when-looped        Force looped interface down
  duplex                  Configure duplex operation.
  eou                     EAPoUDP Interface Configuration Commands
  exit                    Exit from interface configuration mode

3750X(config-if)#exi
Nothing yet. We have not done with global configuration mode yet. We need to specify a few AAA commands:
3750X(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  onep             Set authentication lists for ONEP
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

3750X(config)#aaa authentication dot default group radius
3750X(config)#aaa authorization network default group radius
3750X(config)#aaa accounting dot1x default start-stop group radius
3750X(config)#
Now can we see the commands?
3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions
  cdp                     CDP interface subcommands
  channel-group           Etherchannel/port bundling configuration
  channel-protocol        Select the channel protocol (LACP, PAgP)
  crypto                  Encryption/Decryption commands
  cts                     Configure Cisco Trusted Security
  dampening               Enable event dampening
  datalink                Interface Datalink commands
  default                 Set a command to its defaults
  delay                   Specify interface throughput delay
  description             Interface specific description
  down-when-looped        Force looped interface down
  duplex                  Configure duplex operation.
  eou                     EAPoUDP Interface Configuration Commands
  exit                    Exit from interface configuration mode
Not yet. Remember by default the switch port will be in trunk mode, and for AAA to work in the manner we want it to, we need it to be an access port:
3750X(config-if)#switchport access vlan9
% Access VLAN does not exist. Creating vlan 9
3750X(config-if)#switchport mode access
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  authentication          Auth Manager Interface Configuration Commands
  auto                    Configure Automation
  ...
  description             Interface specific description
  dot1x                   Interface Config Commands for IEEE 802.1X
  down-when-looped        Force looped interface down
  ...
  logging                 Configure logging for interface
  mab                     MAC Authentication Bypass Interface Config Commands
  mac                     MAC interface commands
  macro                   Command macro
  macsec                  Enable macsec on the interface
  ...
 
3750X(config-if)#
Great, now we can see the authentication, dot1x and mab commands! Let's set it up:
3750X(config-if)#authentication ?
  control-direction  Set the control-direction on the interface
  event              Set action for authentication events
  fallback           Enable the Webauth fallback mechanism
  host-mode          Set the Host mode for authentication on this interface
  linksec            Configure link security parameters
  open               Enable or Disable open access on this port
  order              Add an authentication method to the order list
  periodic           Enable or Disable Reauthentication for this port
  port-control       Set the port-control value
  priority           Add an authentication method to the priority list
  timer              Set authentication timer values
  violation          Configure action to take on security violations

3750X(config-if)#authentication port-control auto
3750X(config-if)#authentication host-mode multi-auth
3750X(config-if)#authentication order mab dot1x
3750X(config-if)#authentication port-control auto
3750X(config-if)#authentication periodic
3750X(config-if)#mab
3750X(config-if)#dot1x pae authenticator
3750X(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on GigabitEthernet3/0/20 but will only
 have effect when the interface is in a non-trunking mode.
3750X(config-if)#
Whilst this was purely a test, and I will probably be using a very different setup later on, the take away from this is about process more than anything else:

  • Enable AAA new-model
  • Set up AAA (authentication, authorization, accounting)
  • Set interface to be an access-mode port
  • Configure authentication on the interface

This is one of those things that, in an exam environment, if the process is not followed then you'll be spending more time fixing and troubleshooting, than actually configuring. Practice does make perfect, but process really does help.

This was just a quick play about, and once the switch is connected to the topology, there will be a longer post, hopefully explaining what all these commands actually mean.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »

1 comments:

comments