{"id":117,"date":"2019-02-26T00:25:04","date_gmt":"2019-02-26T00:25:04","guid":{"rendered":"https:\/\/thelordofthepings.newedgenetworking.com\/wp\/?p=117"},"modified":"2019-02-26T00:25:04","modified_gmt":"2019-02-26T00:25:04","slug":"securing-the-wired-network-with-802-1x","status":"publish","type":"post","link":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/2019\/02\/26\/securing-the-wired-network-with-802-1x\/","title":{"rendered":"Securing the wired network with 802.1X"},"content":{"rendered":"

This post covers an innovation project I did to secure the wired network at a shared conf center with 802.1X.<\/span><\/p>\n

Every few months we had to disable the wired network in order to prevent non-employees from being able to get online. This was not scalable, was prone to human error, and scheduling confusion. I planned to automate the process by enabling 802.1X aka dot1q on the switches using our Windows AD via Cisco ACS.<\/span><\/p>\n

Any Domain joined devices that plugged in would get access to our corp VLAN, and unknown devices would go into a dead VLAN. Long term I planned to enable a wired guest VLAN and had it labbed out for non local switched wifi where the guest VLAN exists on the switch you\u2019re connected to but didn\u2019t around to labbing local switching using CAPWAP tunnels.<\/span><\/p>\n

Wired Guest Access using Cisco WLAN Controllers Configuration Example:<\/span><\/p>\n

http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/wireless-mobility\/wireless-lan-wlan\/99470-config-wiredguest-00.html<\/span><\/a><\/p>\n

Phones would end up in the VoIP VLAN but they weren\u2019t equipped for dot1x authentication. So I had two options either manually add each MAC address to a list in the ACS which is not scalable or supportable. Instead I removed the user VLAN from the ports with phones connected. The voice VLAN itself was locked down with a strict ACL that only allowed communication with the VoIP server.<\/span><\/p>\n

Client configs:<\/span><\/p>\n

In this environment there were only Windows clients. Windows needs to be configured to enable their supplicant for dot1x. Anything with Windows can and should be controlled by Group Policy. I researched the needed settings and how to set them via GPO. Then I worked with the Windows team to roll out the GPO to a pilot group and finally deploy globally.<\/span><\/p>\n

Configuring 802.1X Wired Authentication on a Windows 7 Client:<\/span><\/p>\n

https:\/\/documentation.meraki.com\/MS\/Access_Control\/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client<\/a><\/p>\n

You can do the same thing with other versions of Windows just this was the one I worked with. <\/span><\/p>\n

Windows AD GPO guide: <\/span><\/p>\n

https:\/\/msdn.microsoft.com\/en-us\/library\/dd759237.aspx<\/span><\/a><\/p>\n

When these Win 7 machines were upgraded to Win 10 the GPO still worked.<\/span><\/p>\n

 <\/p>\n

Switch configs:<\/span><\/p>\n

!Debug 802.1x all<\/span>\r\n\r\n!Debug radius all<\/span>\r\n\r\nconf t<\/span>\r\n\r\naaa new-model<\/span>\r\n\r\naaa authentication dot1x default group radius<\/span>\r\n\r\naaa authorization network default group radius<\/span>\r\n\r\naaa accounting network default start-stop group radius<\/span>\r\n\r\ndot1x system-auth-control<\/span>\r\n\r\ndot1x guest-vlan supplicant<\/span>\r\n\r\nradius server acs1.foo.com<\/span>\r\n\r\n address ipv4 10.1.181.2 auth-port 1812 acct-port 1813<\/span>\r\n\r\n key 0 This-IsTheSharedSecret123<\/span>\r\n\r\nexit<\/span>\r\n\r\nradius server acs2.foo.com<\/span>\r\n\r\n address \u00a0ipv4 10.2.181.2 auth-port 1812 acct-port 1813<\/span>\r\n\r\n key 0 This-IsTheSharedSecret123<\/span>\r\n\r\nexit<\/span>\r\n\r\n!User ports<\/span>\r\n\r\ninterface <interface><\/span>\r\n\r\n authentication port-control auto<\/span>\r\n\r\n authentication host-mode multi-domain<\/span>\r\n\r\n dot1x pae authenticator<\/span>\r\n\r\n authentication event no-response action authorize vlan 15<\/span>\r\n\r\n authentication event fail action authorize vlan 15<\/span>\r\n\r\n!Phone ports<\/span>\r\n\r\ninterface <interface><\/span>\r\n\r\nno switchport access vlan 1010<\/span>\r\n\r\nend<\/span>\r\n\r\ncopy run start<\/span><\/pre>\n
ACS Configs:<\/span><\/p>\n
I already had the ACS configured to do dot1x auth for wifi clients so it was simple to just add the new switches to the rule set.<\/span><\/p>\n
 <\/p>\n
It was a success and opened the door to securing all wired networks.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
This post covers an innovation project I did to secure the wired network at a shared conf center with 802.1X. Every few months we had to disable the wired network in order to prevent non-employees from being able to get online. This was not scalable, was prone to human error, and scheduling confusion. I planned […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[35,34,45],"tags":[12,40,46,25],"class_list":["post-117","post","type-post","status-publish","format-standard","hentry","category-cisco","category-security","category-wifi","tag-cisco","tag-security","tag-wifi","tag-windows"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/comments?post=117"}],"version-history":[{"count":4,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":121,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/117\/revisions\/121"}],"wp:attachment":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/media?parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/categories?post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/tags?post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}