I had a little bit of time today, between dropping the kids off at nursery and picking the wife up from the airport, so I thought I'd have a little play with my new 3750-X switch, which arrived yesterday. It's the biggest expense so far in this study, and cost £899, so I really hope it's suitable for the CCIE Security!
It came with IOS 12.2, so the first thing to do is to upgrade to a newer version.
3750X#sh ver | i IOS Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1) 3750X#Once I had added the commands for "ip ftp username" and "ip ftp password", I was able to load the tar file from FTP:
3750X#archive download-sw /overwrite /reload ftp://192.168.1.76/c3750e-universalk9-tar.150-2-SE8.tarThe upgrade process takes a while, probably about 20-30 mins, but once it's done, we have a much newer version:
3750X#sh ver | i IOS Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE8, RELEASE SOFTWARE (fc1) 3750X#I also bumped up the license, using the Right To Use method:
3750X#show license
Index 1 Feature: ipservices
Period left: Life time
License Type: PermanentRightToUse
License State: Active, In Use
License Priority: High
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: 0 minute 0 second
3750X#
The next part was to make sure that I had access to the commands I would be needing later on, so, let's have a look for "mab", "authentication" and "dot1x" under the interface commands:
3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
aaa Authentication, Authorization and Accounting.
arp Set arp type (arpa, probe, snap) or timeout or log options
auto Configure Automation
bandwidth Set bandwidth informational parameter
bgp-policy Apply policy propagated by bgp community string
carrier-delay Specify delay for interface transitions
3750X(config-if)#auth
3750X(config-if)#auth?
% Unrecognized command
3750X(config-if)#mab
^
% Invalid input detected at '^' marker.
3750X(config-if)#exi
Nothing there. Let's start by enabling "aaa new-model". This enables the more granular functions of AAA, and is exactly what we are looking for. Does this help now?
3750X(config)#aaa new-model 3750X(config)#int gi 3/0/20 3750X(config-if)#? Interface configuration commands: aaa Authentication, Authorization and Accounting. arp Set arp type (arpa, probe, snap) or timeout or log options auto Configure Automation bandwidth Set bandwidth informational parameter bgp-policy Apply policy propagated by bgp community string carrier-delay Specify delay for interface transitions cdp CDP interface subcommands channel-group Etherchannel/port bundling configuration channel-protocol Select the channel protocol (LACP, PAgP) crypto Encryption/Decryption commands cts Configure Cisco Trusted Security dampening Enable event dampening datalink Interface Datalink commands default Set a command to its defaults delay Specify interface throughput delay description Interface specific description down-when-looped Force looped interface down duplex Configure duplex operation. eou EAPoUDP Interface Configuration Commands exit Exit from interface configuration mode 3750X(config-if)#exiNothing yet. We have not done with global configuration mode yet. We need to specify a few AAA commands:
3750X(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. dot1x Set authentication lists for IEEE 802.1x. enable Set authentication list for enable. eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authentication. login Set authentication lists for logins. onep Set authentication lists for ONEP password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. suppress Do not send access request for a specific type of user. username-prompt Text to use when prompting for a username 3750X(config)#aaa authentication dot default group radius 3750X(config)#aaa authorization network default group radius 3750X(config)#aaa accounting dot1x default start-stop group radius 3750X(config)#Now can we see the commands?
3750X(config)#int gi 3/0/20 3750X(config-if)#? Interface configuration commands: aaa Authentication, Authorization and Accounting. arp Set arp type (arpa, probe, snap) or timeout or log options auto Configure Automation bandwidth Set bandwidth informational parameter bgp-policy Apply policy propagated by bgp community string carrier-delay Specify delay for interface transitions cdp CDP interface subcommands channel-group Etherchannel/port bundling configuration channel-protocol Select the channel protocol (LACP, PAgP) crypto Encryption/Decryption commands cts Configure Cisco Trusted Security dampening Enable event dampening datalink Interface Datalink commands default Set a command to its defaults delay Specify interface throughput delay description Interface specific description down-when-looped Force looped interface down duplex Configure duplex operation. eou EAPoUDP Interface Configuration Commands exit Exit from interface configuration modeNot yet. Remember by default the switch port will be in trunk mode, and for AAA to work in the manner we want it to, we need it to be an access port:
3750X(config-if)#switchport access vlan9 % Access VLAN does not exist. Creating vlan 9 3750X(config-if)#switchport mode access 3750X(config-if)#? Interface configuration commands: aaa Authentication, Authorization and Accounting. arp Set arp type (arpa, probe, snap) or timeout or log options authentication Auth Manager Interface Configuration Commands auto Configure Automation ... description Interface specific description dot1x Interface Config Commands for IEEE 802.1X down-when-looped Force looped interface down ... logging Configure logging for interface mab MAC Authentication Bypass Interface Config Commands mac MAC interface commands macro Command macro macsec Enable macsec on the interface ... 3750X(config-if)#Great, now we can see the authentication, dot1x and mab commands! Let's set it up:
3750X(config-if)#authentication ? control-direction Set the control-direction on the interface event Set action for authentication events fallback Enable the Webauth fallback mechanism host-mode Set the Host mode for authentication on this interface linksec Configure link security parameters open Enable or Disable open access on this port order Add an authentication method to the order list periodic Enable or Disable Reauthentication for this port port-control Set the port-control value priority Add an authentication method to the priority list timer Set authentication timer values violation Configure action to take on security violations 3750X(config-if)#authentication port-control auto 3750X(config-if)#authentication host-mode multi-auth 3750X(config-if)#authentication order mab dot1x 3750X(config-if)#authentication port-control auto 3750X(config-if)#authentication periodic 3750X(config-if)#mab 3750X(config-if)#dot1x pae authenticator 3750X(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on GigabitEthernet3/0/20 but will only have effect when the interface is in a non-trunking mode. 3750X(config-if)#Whilst this was purely a test, and I will probably be using a very different setup later on, the take away from this is about process more than anything else:
- Enable AAA new-model
- Set up AAA (authentication, authorization, accounting)
- Set interface to be an access-mode port
- Configure authentication on the interface
This is one of those things that, in an exam environment, if the process is not followed then you'll be spending more time fixing and troubleshooting, than actually configuring. Practice does make perfect, but process really does help.
This was just a quick play about, and once the switch is connected to the topology, there will be a longer post, hopefully explaining what all these commands actually mean.
1 comments:
commentsGood to Know!
Reply