802.1X本身并不算太难,确切的说命令的繁琐,实验环境难以搭建(虚拟机+物理交换机)。是让人比较难入门的门槛。我也没有物理交换机,但毕竟配置只要贴在blog里面就行了。ISE和802.1x的概念还是可以操作复习下的。
一 交换机的推荐配置
文档可以参考,是个美国思科的SE写的:
http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x
official document
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html
我重新整理一遍
aaa new-model
aaa authenticatoin dot1x default group ISE
aaa authorization network default group ISE
aaa accouting dot1x start-stop group ISE
(命令格式与tacacs+非常相似,记住default是对所有支持802.1x的接口开启认证,其实就是access口,思科又来缺心眼,authorization来个network是什么鬼?)
aaa group server radius ISE
server-private 192.168.133.11 key cisco123
aaa server radius dynamic-author
client 192.138.133.11 key cisco123
ip radius source-interface loopback 0
dot1x system-auth-control
device-tracking tracking 3750/3850似乎有点不同
radius-server vsa send authentication
radius-server vsa send accounting
radius-server attribute 6 on-for-login-auth // sends Service-Type attribute in access request
radius-server attribute 8 include-in-access-req // send Framed-IP-address attribute
radius-server attribute 25 access-request include // send Class attribute in access request
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark PING
permit icmp any any
remark TFTP
permit udp any any eq tftp
remark Drop ALL
deny ip any any log
ip access-list extended Web-Redirect
deny udp any any eq domain
deny udp eq bootpc any eq bootps
deny tcp any any eq 8905
deny udp any any eq 8905
deny tcp any any eq 8909
deny udp any any eq 8909
deny tcp any any eq 8443
permit ip any any
ip http server
ip http secure-server
查了下文档,教主的课件有个端口8906其实已经不需要了。
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html
UDP/TCP 8905: Used for posture communication between NAC Agent and ISE
UDP/TCP 8909: Used for client provisioning.
TCP 8443: Used for guest and posture discovery.
access port
int gi 1/0/22
switchport mode access
switchport access vlan 10
spanning-tree portfast
device-tracking //3850/3650平台需要在接口下有这条命令,以前肯定没有
ip access-group ACL-DEFAULT in //默认放行的ACL,和authentication open一起使用
authentication open //认证不通都能打开物理接口,但是无授权流量由默认ACL控制
authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authenticatino priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
二 MAB和802.1x概念
抄几段话:
- MAB is the authentication deployed when endpoint doesn't support 802.1x
- MAB uses PAP/ASCII or optionally EAP-MD5 to has the password. But the radius is clear text and username is the MAC address
官方有一份讲MAB非常详细的文档,我截取些关键点
High level MAB authentication sequence,可以看出认证过程就是交换机发送request identity多达3次,当802.1x timeout之后开始进行mab地址认证
-
-一个典型的MAB包,注意service-type=call-check NAS-Port-Type=Ethernet 注意username是明文的,所以实际上很好欺骗的
-ISE端默认的MAB匹配条件
记住在ISE中,所有的endpoint不管你是否得到授权,MAC地址都是可以被ISE记录下来的。以后会有profiling将这些终端进行分组,我们就可以根据这个组来进行授权了。
三 802.1x
先说几种认证方式,EAP-MD5(不详细讲了,生产环境不部署,考试也不考),PEAP(MS-CHAPv2),EAP-TLS,EAP-FAST
首先说下EAP,extensible authentication protocol,国外有个印度无线大神,他的blog写的非常的好。我直接借用他的