Guest

Design Zone for Security: Technology Partners

TrustSec Phased Deployment Configuration Guide

  • Viewing Options

  • PDF (19.9 MB)
  • Feedback
TrustSec Phased Deployment Configuration Guide

Table Of Contents

About Cisco Validated Design (CVD) Program

TrustSec Phased Deployment Configuration Guide

Phased Deployment Overview

Cisco TrustSec Overview

Cisco IOS Software Identity Enhancements

IEEE 802.1X with Multiauth

Flexible Authentication Sequencing

IEEE 802.1X with Open Access

IEEE 802.1X and MAB with Downloadable ACLs

IEEE 802.1X and MAB with Downloadable VLAN

Multidomain Authentication

Cisco Discovery Protocol Enhancement for Second Port Disconnect

Cisco Secure Access Control System 5.x

Phased Implementation Strategy

Authentication and Authorization Modes

Endpoint/User—Use Cases

Predeployment LAN Requirements

Assumptions and Prerequisites

Pre-TrustSec Switchport Interface Configuration

Verifying Network Infrastructure Before TrustSec is Deployed

Implementing Monitor Mode

Monitor Mode Overview

Installing Digital Certificates

Adding a Certificate Authority

Configuring Network Access Devices

Connecting to the Active Directory Domain

Setting the Clock for the New Cisco ACS 5.x Appliance

Creating Identity Groups and Identity Store Sequences

Creating Identity Groups

Creating Identity Store Sequences

Using Policy Elements

Creating Access Policies

Defining Identity Sources and Authorization Profiles

Creating Service Selection Rules

Configuring the Access Switch

Configuring Global Identity Settings

Configuring Monitor Mode on the Switch Port

Verifying Monitor Mode

Verifying Access Switch-to-Cisco ACS Server Communication

Verifying Authenticator-to-Authentication Server Communication

Verifying that the Cisco ACS Server Can Communicate with the AD Domain Controller

Verifying Host Network Connectivity and Network Services

Verifying that IP Phones are Working

Verifying that Devices such as IP Cameras Work

Implementing Low Impact Mode

Low Impact Mode Overview

Configuring Cisco ACS

Configuring Active Directory Groups

Configuring ACS Policy Elements

Configuring Authorization Profiles

Configuring Access Policies

Configuring User and Identity Stores

Adding Authorization Rules for 802.1X Service

Adding Authorization Rules for MAB Service

Configuring the Switch

Global Switch Default ACLs

Switch Port Configuration

Configuring the Endpoint Host

Verifying Low Impact Mode

Verifying Host Network Connectivity and Network Services

Verifying 802.1X-Capable Managed Assets

Verifying Non-802.1X-Capable Managed Assets

Implementing High Security Mode

High Security Mode Overview

Modifying Authorization Profiles

Verifying Global Switch VLAN Definition

Configuring the Switch Port

Verifying High Security Mode

Verifying Host Network Connectivity and Network Services

Verifying 802.1X-Capable Managed Assets

Verifying Non-802.1X-Capable Managed Assets

Creating a Certificate for a Windows XP Browser

References

TrustSec 1.99 Documents

Related Documents


TrustSec Phased Deployment Configuration Guide
Last Updated: September 6, 2011

Building Architectures to Solve Business Problems

About Cisco Validated Design (CVD) Program


The CVD program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information visit http://www.cisco.com/go/designzone.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at http://www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

TrustSec Phased Deployment Configuration Guide

© 2011 Cisco Systems, Inc. All rights reserved.

TrustSec Phased Deployment Configuration Guide


This document is designed to help focus and streamline Cisco TrustSec deployments. It includes the following sections:

Phased Deployment Overview

Implementing Monitor Mode

Implementing Low Impact Mode

Implementing High Security Mode

Creating a Certificate for a Windows XP Browser

References

Phased Deployment Overview

This section includes the following topics:

Cisco TrustSec Overview

Cisco IOS Software Identity Enhancements

Cisco Discovery Protocol Enhancement for Second Port Disconnect

Cisco Secure Access Control System 5.x

Phased Implementation Strategy

Predeployment LAN Requirements

Cisco TrustSec Overview

Cisco Trusted Security (TrustSec) is an integrated solution comprising several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. Cisco TrustSec facilitates greater security and cost-effective management of changes throughout your organization.

Having a secure TrustSec framework in place helps enterprises better manage employee mobility, reduce network access expenses, and boost overall productivity while lowering operating costs.

The Cisco TrustSec solution provides the following benefits:

Improves business capability without compromising security—Policies are associated with users and not physical ports, which not only gives your users more mobility but also simplifies administration for IT staff. Policy enforcement and dynamic provisioning ease management functions and deliver greater scalability.

Provides greater flexibility and mobility—Creating user or group profiles with policies that define trust relationships between users and network resources helps easily authenticate, authorize, and account for all wired and wireless network users.

Increases efficiency and manage costs—Delivering secure network access to partners and vendors though centralized policy-based administration decreases the time, complexity, and effort associated with port security techniques at the media access control level.

Increases visibility and enforces policy compliance—Tracking users and accounting for user activities help safeguard your network.

Cisco IOS Software Identity Enhancements

This section describes Cisco IOS Software features that accommodate the deployment scenarios described in this guide. It includes the following topics:

IEEE 802.1X with Multiauth

Flexible Authentication Sequencing

IEEE 802.1X with Open Access

IEEE 802.1X and MAB with Downloadable ACLs

IEEE 802.1X and MAB with Downloadable VLAN

Multidomain Authentication

IEEE 802.1X with Multiauth

Multiple authentication allows more than one host to authenticate on an IEEE 802.1X-enabled switch port. With multiauth, each host must authenticate individually before it can gain access to the network resources.


Note When multiauth is enabled, your dynamic authorization options change. Because an Ethernet port can be assigned to only one VLAN, you cannot have each authenticated session on a different VLAN. Therefore, Cisco recommends that you consider using downloadable access control lists (dACLs) as your authorization method. This is discussed later in this document.

Flexible Authentication Sequencing

Flexible authentication sequencing provides a flexible timeout and fallback mechanism among IEEE 802.1X, MAC authentication bypass (MAB), and web authentication methods. It also allows switch administrators to control the sequence of the authentication methods. This simplifies the Cisco TrustSec configuration by providing a single-set of configuration commands to handle different types of endpoints connecting to the switch ports. In addition, flexible authentication sequencing allows users to configure any authentication method on a standalone basis; that is, MAB can be configured without requiring IEEE 802.1X configuration.

IEEE 802.1X with Open Access

This feature allows users to have limited network access, such as the Intel Preboot eXecution Environment (PXE) boot server, before IEEE 802.1X authentication. The limited access is optionally controlled by an access control list (ACL) or a virtual LAN (VLAN) that is defined by the switch administrator and applied on the switch port.

IEEE 802.1X and MAB with Downloadable ACLs

This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X, MAB, or web authentication.

IEEE 802.1X and MAB with Downloadable VLAN

This feature allows per-port VLAN to be downloaded from the Cisco ACS as policy enforcement after authentication using IEEE 802.1X and MAB.

Multidomain Authentication

This feature allows an IP phone, either Cisco or non-Cisco, and a PC to authenticate on the same switch port while it places them on appropriate voice and data VLANs.

For a full list of the new Cisco IOS Software enhancements and additional information, see the following URLs:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/product_bulletin_c25-503086.html#wp9000607

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1107452

Cisco Discovery Protocol Enhancement for Second Port Disconnect

Cisco Discovery Protocol (CDP) is enhanced to add a new type-length-value (TLV) for the IP phone to inform the switch in the event of the PC disconnecting from the IP phone. Upon receiving this notification, the switch can clear the authenticated session security record for the PC. This enables end users to move behind phones without validating security policies, and thus eliminating error disabling of ports.

Cisco Secure Access Control System 5.x

Cisco Secure Access Control System 5.x (ACS 5.x) is the Cisco policy management system for supporting comprehensive, identity-based access control and security. Cisco ACS 5.x is focused on enhanced support for 802.1X. The following are the key enhancements for Cisco ACS 5.x:

Rules-based attribute-driven policy model

Lightweight web GUI

Centralized reporting, monitoring, and troubleshooting

Linux-based system architecture

Improved integration with identity and policy databases

Available as physical appliance and virtual appliance for VMware

Phased Implementation Strategy

The depth and breadth of Cisco TrustSec accommodates a large number of use cases and deployment scenarios. This section describes the following two aspects of the use cases discussed in this guide:

Authentication and Authorization Modes

Endpoint/User—Use Cases

Authentication and Authorization Modes

Cisco recommends a phased deployment model that can allow for limited impact on network access while gradually introducing authentication and authorization on the wired network. The phases are as follows:

Monitor mode

Low impact mode

High security mode

Monitor Mode

Monitor mode allows for the deployment of the TrustSec authentication methods IEEE 802.1X, MAB, and/or web authentication (WebAuth) without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:

Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network

Where these endpoints connected

Whether they are 802.1X capable or not

Whether they have valid credentials

In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:

sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth
 
   

The open access feature transforms the normal behavior of blocking traffic on an 802.1X-enabled port until authentication and authorization are successfully performed. The default behavior of 802.1X is still to block all traffic accept Extensible Authentication Protocol over LAN (EAPoL). However, the open access feature allows the customer/administrator the option of providing unrestricted access to all traffic, even though authentication (802.1X, MAB, and/or WebAuth) is enabled.

All of this is accomplished with no impact to end users or network-attached hosts.

Low Impact Mode (also known as Selective Access Mode)

In this mode, you are able to incrementally increase the security by adding an ingress ACL to the 802.1X-enabled switchport that is configured in open mode. This ACL provides the ability to maintain whatever basic connectivity is required for unauthenticated hosts while selectively providing differentiated access for authenticated users.

An example of how this may be used is providing a host attached to a default port the ability to use Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and perhaps get to the Internet; all while blocking access to internal resources. When a device connected to that switchport authenticates, a dACL is applied to permit all traffic.

High Security Mode

Another option for 802.1X-enabled switch ports is the strict use of the traditional closed mode in conjunction with the use of dynamic VLAN assignment for differentiated access. This is the default behavior of an 802.1X-enabled switch port.

This guide demonstrates how to configure these three identity-enabled modes, allowing you to determine which mode works best for your environment.

Endpoint/User—Use Cases

Most if not all customer environments have a mix of host and users types. These typically fall into the following four primary categories:

Managed Hosts/Assets

Managed Users

Unmanaged Host/Assets

Unmanaged Users

Managed Hosts/Assets

The host device/asset is managed by the IT department and belongs to one of the following two classes for the purpose of TrustSec:

802.1X capable—The device has a supplicant and can authenticate using 802.1X.

Non-802.1X capable—The device does not have the ability to authenticate using 802.1X; that is, there is no supplicant.

Because the devices are managed, the IT department has knowledge of the device and in most cases can install and configure the prerequisite 802.1X supplicant software if it is available.


Note This guide uses Active Directory and the Cisco ACS internal database as the identity management (IdM) systems for managed hosts.

Managed Users

The end user has some affiliation with the company, either as an employee or subcontractor, and has been provisioned with an identity (username/password, digital certificate, and so on) in the identity IdM system of the company; typically, Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP). The Cisco TrustSec Policy Management Server (ACS) integrates with common IdM systems to allow seamless authentication of user credentials.


Note This guide uses Active Directory as the IdM system for managed user identities.

Unmanaged Host/Assets

Endpoints that belong to short-term guests or business partners such as consultants, contractors, and customers. Because of legal or liability concerns, most IT departments cannot or are reluctant to install client software such as 802.1X supplicants on these unmanaged host PCs.

Unmanaged Users

Users that are considered short-term guests or business partners such as consultants, contractors, and customers, which are not or will not be provisioned into the traditional company IdM systems.

The key is to be able to accommodate all of the above endpoint/user use cases with a single switch port configuration. This can be accomplished with Cisco IOS Software enhancements; specifically, flexible authentication (FlexAuth) and flexible authentication sequencing. FlexAuth is used in conjunction with a policy or procedure to register the PC MAC addresses of guests and contractors.

Predeployment LAN Requirements

This section includes the following topics:

Assumptions and Prerequisites

Pre-TrustSec Switchport Interface Configuration

Verifying Network Infrastructure Before TrustSec is Deployed

Assumptions and Prerequisites

The following network services should be installed, configured, and ready for use:

Microsoft Active Directory (AD)

Certificate Authority (CA); this document assumes Microsoft CA

DHCP

DNS

For this configuration guide, the following have been preconfigured:

AD domain demo.local

AD users and passwords, as listed in Table 1

Switch VLANs and DHCP scopes, as listed in Table 2.

Table 1 AD Users and Passwords

Username
Example Passwords
Record Your Passwords Here

Administrator

aPa$$word0

 

User1

uPa$$word1

 

User2

uPa$$word2

 

Table 2 Switch VLANs and Scopes

VLAN NAME
VLAN ID
IP
Description
Monitor Mode

DATA

210

10.200.10.x/24

All non-Voice

VOICE

211

10.200.11.x/24

Voice Only

High Security Mode (used later)

MACHINES

212

10.200.12.x/24

Managed Host/Assets

GUEST

213

10.200.13.x/24

Non-802.1X responsive Host

CONTRACTOR

214

10.200.14.x/24

Reserved for Contractors

AUTHFAIL

215

10.200.15.x/24

Failed 802.1X attempts


Figure 1 shows a diagram of the TrustSec components used in the Cisco testing lab.

Figure 1 TrustSec Lab Components

Pre-TrustSec Switchport Interface Configuration

The following is a typical switchport configuration before TrustSec implementation:

Interface GigabitEthernet 2/1
  switchport access vlan 210
  switchport voice vlan 211
  switchport mode access
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source vlan dhcp-snooping
  etc.
end
 
   
! Comments:
! Your configuration may vary. The main thing to note is that we are only using a DATA 
! and VOICE VLAN initially and no TrustSec features are enabled.
 
   

The following global switch configuration needs to be applied to the switch to enable DHCP Snooping on the port:

ip dhcp snooping vlan 210-215 <- your vlans may vary
no ip dhcp snooping information option
ip dhcp snooping
 
   

Verify that all hosts, except contractors and rogue APs, are online and working:

Cat6K#show cdp neighbors 
 
   
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 
 
   
Device ID        Local Intrfce     Holdtme    Capability  Platform      Port ID
SEP001BD585391E   Fas 2/16          161             H P M      IP Phone     Port 1
SEP0018BAC7BCEE  Fas 2/12          175              H P        IP Phone     Port 1
SEP0018BAC7BCFA  Fas 2/13          167              H P        IP Phone     Port 1
6506-1.identity.com     Fas2/48      151             R S I     WS-C6506  Gig1/43
001DE5EBE5EF         Fas 2/8         136                H         CIVS-IPC-    eth0
001DE5EBF900          Fas 2/11       131                H         CIVS-IPC-    eth0
Cat6k#show ip dhcp snooping binding 
 
   
MacAddress              IpAddress          Lease(sec)  Type                 VLAN  
Interface
------------------  	  ---------------        ----------       -------------           ----     
--------------------
00:1B:D5:85:39:1E    10.200.11.202    613050      dhcp-snooping   211   FastEthernet2/16
00:18:F8:08:F8:38     10.200.10.203    450645      dhcp-snooping   210   FastEthernet2/13
00:18:F8:09:CF:C6    10.200.10.201    358850      dhcp-snooping   210   FastEthernet2/1
00:18:BA:C7:BC:FA   10.200.11.201    687677      dhcp-snooping   211   FastEthernet2/13
00:18:BA:C7:BC:EE   10.200.11.203    687690      dhcp-snooping   211   FastEthernet2/12
00:1D:E5:EB:F9:00    10.200.10.206    687692      dhcp-snooping   210   FastEthernet2/11 
00:1D:E5:EB:F9:00    10.200.10.206    687692      dhcp-snooping   210   FastEthernet2/11
00:1D:E5:EB:E5:EF   10.200.10.204    687693      dhcp-snooping   210   FastEthernet2/8
00:21:86:58:DB:6B    10.200.10.205    444919      dhcp-snooping   210   FastEthernet2/12
 
   
Total number of bindings: 8

Verifying Network Infrastructure Before TrustSec is Deployed

Verify the following before deploying TrustSec:

DNS and DHCP are working

Client machines have joined the AD domain

The access switch can ping the Cisco ACS

The Cisco ACS can ping the AD domain controller

IP phones are working; check for dial tone

All VLANs are configured and routable on the network

Devices such as IP cameras and printers are working; for example, browse to the IP camera http://10.200.10.206


Note Do not enable TrustSec features such as 802.1X on the switch until you have configured your AAA server, switch-to-AAA/RADIUS configurations, and so on.

Implementing Monitor Mode

This section describes the global configuration necessary to implement monitor mode. This section includes the following topics:

Monitor Mode Overview

Installing Digital Certificates

Adding a Certificate Authority

Using Policy Elements

Configuring the Access Switch

Verifying Monitor Mode

Monitor Mode Overview

This section describes how to enable TrustSec authentication on the access switch ports and configure the infrastructure to support authentication and accounting. Monitor mode does not disrupt any network services for attached hosts, but enables you to account for and monitor network access attempts from the hosts connecting to your network.

Note that configuration of 802.1X supplicants, or clients, is not a concern here because monitor mode does not enforce authentication. However, if there are hosts with 802.1X enabled, you are able to detect them via the RADIUS accounting logs.

Installing Digital Certificates

To install digital certificates, complete the following steps.

Procedure


Step 1 Login to your newly installed Cisco Secure ACS 5.X (see Figure 2).

Unless otherwise configured, use the default username and password: acsadmin/default.

Figure 2 Cisco Secure ACS Login

Step 2 To create a digital certificate for ACS from your lab, trusted public, or enterprise certificate authority, go to the Cisco Secure ACS System Administration > Configuration > Local Server Certificates > Local Certificates, and select Add (see Figure 3).


Tip Best Practice Recommendation—Do not use self-signed certificates. Creating a digital certificate for ACS that is signed by a trusted third-party or enterprise CA is highly recommended. It is the foundation of trust for most browser-based (SSL) and EAP-based (RADIUS) protocols.

Figure 3 Creating a Digital Certificate

Step 3 Check the Generate Certificate Signing Request and click Next (see Figure 4).

Figure 4 Selecting Generate Certificate Signing Request

Step 4 In the Generate Certificate Signing Request screen (see Figure 5), do the following:

a. In the Certificate Subject text box, enter the fully qualified domain name of your ACS 5.0 server: cn=acs5.demo.local.

b. In the Key Length text field, select 4096

c. Click Finish.

Figure 5 Generate Certificate Signing Request

Step 5 To access the Certificate Signing Request (CSR), go to System Administration > Configuration > Local Server Certificates > Outstanding Signing Requests (see Figure 6).

Figure 6 Certificate Signing Request

Step 6 Select the CSR you created, click Export and then click Save (see Figure 7).

You will need to access this CSR from the CA in a later step.

Figure 7 Saving the Certificate Signing Request

Step 7 Open your enterprise or pilot/demo root CA server: http://ad.demo.local/certsrv.

The Welcome screen appears, as shown in Figure 8.

Figure 8 Microsoft Certificate Services—Welcome Screen

Step 8 Select Request a Certificate.

The Request a Certificate screen appears, as shown in Figure 9.

Figure 9 Request a Certificate Screen

Step 9 Select advanced certificate request.

The Advanced Certificate Request screen appears, as shown in Figure 10.

Figure 10 Advanced Certificate Request Screen

Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file (see Figure 11).

Figure 11 Submitting a Certificate Request

Step 10 Open the CSR you created from ACS in the previous step in a text editor (see Figure 12).

Figure 12 CSR Opened in a Text Editor

Step 11 Ensure that word wrap is not enabled and select all of the text.

Step 12 Paste the selected text into the CA window and click Submit (see Figure 13).

Figure 13 Submitting a Certificate Request (2)

Step 13 Download your certificate on your local computer in DER format for importing into ACS; for example, ca-cert-DER.cer (see Figure 14).

Make a note of the filename and directory in which you saved it.

Figure 14 Certificate Issued

Step 14 To install the new certificate in the Cisco ACS 5.0 interface, go to System Administration > Configuration > Local Server Certificates > Local Certificates and select Add (see Figure 15).

Figure 15 Adding a New Certificate

Step 15 Select the Bind CA Signed Certificate option and click Next (see Figure 16.)

Figure 16 Bind CA Signed Certificate Screen

Step 16 Browse, locate, and select the file you created earlier, and make sure to check both the EAP and Management Interface checkboxes (see Figure 17).

Figure 17 Step 2 - Bind CA Signed Certificate Screen

Step 17 Click Finish.

You should now see the new digital certificate successfully installed (see Figure 18), and you may delete the old self-signed certificate.

Figure 18 New Digital Certificate Installed

This completes the ACS certificate enrollment section.


Adding a Certificate Authority

To add a certificate authority, complete the following steps.

Procedure


Step 1 Go to User and Identity Stores > External Identity Stores > Certificate Authorities and click Add.

Step 2 In the Certificate File to Import screen, click Browse and select the .cer file of the root CA created previously.

Step 3 Click Open and ensure that the Trust for Client with EAP-TLS checkbox is checked (see Figure 19).

Figure 19 Adding a Certificate Authority

Step 4 Click Submit and the new CA will be displayed in the Trust Certifcate List (Figure 20).

Figure 20 Trust Certificate List


Configuring Network Access Devices

To create an RADIUS entry for your access switch, complete the following steps.

Procedure


Step 1 Go to Network Resources > Network Devices and AAA Clients.

Step 2 Create an entry for RADIUS for your access switch (see Figure 21) by doing the following:

a. Provide a name and IP address that corresponds to your access switch.

b. Check the RADIUS box.

c. Provide a shared secret; this exercise uses cisco123.

Figure 21 Creating a RADIUS Entry for the Access Switch

Connecting to the Active Directory Domain

To connect to the Active Directory domain, complete the following steps.

Procedure


Step 1 Go to Users and Identity Stores > External Identity Stores > Active Directory, and do the following:

a. Enter the appropriate domain name; for example, demo.local.

b. Provide a username and password that allow you to connect to the domain; for example, administrator/yourpassword.

Step 2 Click on the Test Connection button to validate joining the domain.

If you get an error similar to the one shown in Figure 22, your clocks are not synchronized. In this case, go to the "Setting the Clock for the New Cisco ACS 5.x Appliance" section.

Figure 22 Connection Failed Message

If you were successful, select Save Changes and move to the "Creating Identity Groups and Identity Store Sequences" section.


Note Clock synchronization is extremely important to Active Directory operations. Always use NTP where possible.

Setting the Clock for the New Cisco ACS 5.x Appliance

To set the clock on a new Cisco ACS 5.x appliance, complete the following steps.

Procedure


Step 1 Access the command-line interface on the ACS appliance and enter the administratively defined login credentials; for example, admin/password (see Figure 23).


Note You configured the password in the setup process of the ACS appliance.

Figure 23 Login Screen

Step 2 Determine the correct value for your timezone by typing the following command at the base prompt (not in global configuration mode) to display the available options.

ACS5-2/admin# show timezone
 
   

Step 3 Access global configuration mode by typing conf t.

Step 4 Type the clock timezone value (for example, US/Pacific) and press the Enter key.

Step 5 Use the following command to set your timezone:

ACS5-2/admin(config)# clock timezone <YOURTIMEZONE>
 
   

Step 6 At the Do you want to restart now? prompt, type y.

Step 7 Do one of the following:

a. To set the NTP server, from global configuration mode use the ntp server <server> command, as in the following example:

ACS5-2/admin(config)# ntp server time.cisco.com  
 
   

b. To set the time, use the clock set <month day time year> command, as in the following example:

ACS5-2/admin# clock set Jun 24 14:27:00 2011
 
   

Your ACS appliance should now have the same timezone, time, and date as your Active Directory domain controller.

Step 8 Go back into the Cisco ACS web interface and finish your Active Directory setup.

If you had to adjust the timezone, date, and time, go back to the previous step and set up your Active Directory as an external identity store. When you are complete, you should now be able to establish a connection with the active directory, as shown in Figure 24.

Figure 24 Successful Connection to the Active Directory


Creating Identity Groups and Identity Store Sequences

This section includes the following topics:

Creating Identity Groups

Creating Identity Store Sequences

Creating Identity Groups

To create identity groups, complete the following steps.

Procedure


Step 1 Go to Users and Identity Stores > Identity Groups and select Create.

Step 2 Type in the name and description information and click Submit (see Figure 25).

Figure 25 Creating Identity Groups

Step 3 Repeat for the next group.


Note It is not necessary to create any internal identity stores as a host for MAB in monitor mode. These are added in the next phase. which is low impact mode.

Creating Identity Store Sequences

The identity store sequence allows you to add multiple identity stores to an access service. It attempts each identity store in the sequence, which is extremely flexible. This allows having users such as IP phones, temporary users, admin users, and so on, to be internally defined in ACS without having to add them to the corporate Active Directory or other external LDAP database.

To create identity store sequences, complete the follow steps.

Procedure


Step 1 Go to User and Identity Stores > Identity Store Sequences and select Create.

Step 2 In the window shown in Figure 26, do the following:

a. Type the name 802.1X-TrustSec.

b. Type a description and select Internal Users and AD1.

c. Click Submit.

This is used later in the 802.1X access service.

Figure 26 Creating Identity Store Sequences


Using Policy Elements

This section describes the configuration of policy elements. It includes the following topics:

Creating Access Policies

Defining Identity Sources and Authorization Profiles

Creating Service Selection Rules


Note You do not need to create any authorization profiles for monitor mode because the port allows all traffic to flow, regardless of whether the endpoint successfully authenticates or not. You are only monitoring in this mode.

Creating Access Policies

For this guide, two new access services are created: one for 802.1X, and one for MAC Authentication Bypass (MAB).

Complete the following steps.

Procedure


Step 1 Go to Access Policies > Access Services and select Create.

Step 2 In the window shown in Figure 27, do the following:

a. For the Name, type 802.1X.

b. For the Description, type IEEE 802.1X.

c. Select User Selected Policy Structure.

d. Click Next.

Figure 27 Creating Access Services—Step 1

Step 3 Select all of the check boxes shown in Figure 28 and click Finish.

Figure 28 Creating Access Services—Step 2


Note Decline any messages requesting you create matching Service Selection Rules. This is done in a later step.

Step 4 Select Access Policies > Access Services again.

Repeat the process above to create a new access service for MAB. The MAB service allows you to recognize network access requests, glean the MAC addresses, and record them in the AAA accounting logs. This helps you monitor and determine what devices, via their MAC addresses, are connecting to the network and where.

Step 5 Select Create.

Step 6 In the window shown in Figure 29, do the following:

a. For the name, type MAB.

b. For the description, type MAC-Auth Bypass.

c. Select User Selected Service Type.

d. Accept the defaults and click Next.

Figure 29 Creating an Access Service for MAB—Step 1

Step 7 For MAB, select only Process Host Lookup and Allow PAP/ASCII (see Figure 30).

Figure 30 Creating an Access Service for MAB—Step 2

Step 8 Click Finish.


Note Decline any messages requesting you create matching Service Selection Rules. This is done in a later step.

Defining Identity Sources and Authorization Profiles

After creating the 802.1X and MAB Access Services, define their respective identity sources and authorization profiles by completing the following steps.

Procedure


Step 1 From within Access Policies > Access Services, select the previously created 802.1X access service.

Step 2 Use the drop-down arrow to select Identity to set up the Identity Source.

Step 3 For 802.1X, specify 802.1X-TrustSec (see Figure 31).

This is the Identity Store Sequence you created previously, which contains both Active Directory and the internal database.

Figure 31 Setting up the Identity Source

Step 4 Accept the defaults and click Save Changes.

Step 5 Select Authorization under the 802.1X Access Service.

Step 6 In the window shown in Figure 32, for Monitor Mode, accept the Default Policy Rule for both 802.1X and MAB Access Services, which is Permit Access.

Figure 32 Authorization


Creating Service Selection Rules

In this section, you create two service selection rules: one for 802.1X and a second for MAB. Service selection is a means for Cisco ACS to identify an access service request and associate it with the proper administratively defined access service such as 802.1X, MAB, TACACS+, and so on. This allows for the specialized handling of different types of service requests, as listed in Table 3.

Table 3 Service Selection Rules

Service Selection Rule Name
Compound Expression
Result Service
Dictionary
Attribute
Operator
Value

Match-802.1X

RADIUS-IETF

Service-Type

Match

Framed

802.1X

Match-MAB

RADIUS-IETF

Service-Type

Match

Call-Check

MAB


Complete the following steps.

Procedure


Step 1 Go to Access Policies > Service Selection Rules.

Step 2 Select the Customize button from the lower right corner and make sure Compound Condition is selected (see Figure 33).

Figure 33 Customize Conditions Screen

Step 3 Click OK.

Step 4 Select Create.

Step 5 In the windows shown in Figure 34, do the following:

a. For the Name, type Match-802.1X.

b. Select the Protocol checkbox.

c. Select RADIUS.

d. Select the Compound Conditions checkbox.

e. Select RADIUS-IETF from the dictionary drop-down box.

f. Click the Select button to select Service-Type for the Attribute.

g. Click OK.

Figure 34 Creating the Service Selection Rule (1)

Step 6 From the Operator drop-down menu, Select match and Select Framed for the value (see Figure 35).

Figure 35 Creating the Service Selection Rule (2)

Step 7 In the window shown in Figure 36, do the following:

a. Select Add V.

b. In the Service drop-down menu under Results, select 802.1X.

c. Click OK.

Figure 36 Creating the Service Selection Rule (3)

You now see the newly created service selection rule Match-802.1X.

Step 8 Select Save Changes to save the changes.

Step 9 To create the MAB service selection rule, select Create.

Step 10 In the window shown in Figure 37, do the following:

a. Give this rule the name of Match-MAB.

b. Select the RADIUS protocol.

c. In the Compound Condition section, select RADIUS-IETF from the Dictionary drop-down menu.

d. Click the Select button to select Service-Type for the Attribute value.

e. Click OK.

f. Select match from the Operator drop-down menu.

g. For the value, click the Select button and select Call-Check and then OK.

h. Select Add V.

i. From the Service drop-down menu in the Results section, select MAB.

j. Click OK and then Save Changes.

Figure 37 Creating the MAB Service Selection Rule


Configuring the Access Switch

This section describes the configuration of the access switch. It includes the following topics:

Configuring Global Identity Settings

Configuring Monitor Mode on the Switch Port

Configuring Global Identity Settings

Configure the global identity commands on the switch to enable TrustSec by using the following commands as a guide:

AAA settings:

! Enable AAA
aaa new-model
 
   
! Create an 802.1X port-based authentication method list
aaa authentication dot1x default group radius
 
   
! Required for VLAN/dACL assignment
aaa authorization network default group radius
 
   
! Enables 802.1X Accounting and MAB
aaa accounting dot1x default start-stop group radius
 
   

RADIUS settings:

! Define the Radius Server and establish the ports to use.
! The test keyword will proactively check that the RADIUS server (ACS 5) is still 
responding.
 
   
radius-server host [ACS_Server_IP_Address] auth-port 1645 acct-port 1646 test username 
test-radius
 
   
 
   
! Define the Shared-Secret to be used between ACS & the Switch.  
! This must match what was entered in ACS.
 
   
radius-server key [user-defined-shared-key] 
 
! ensure your RADIUS traffic is always sourced from the ip address entered in the 
RADIUS server. 
ip radius source-interface [interface_name]
 
   
! create the user in Global Config for the RADIUS server Test.
username test-radius password 0 cisco123
 
   

Globally enable 802.1X authentication:

dot1x system-auth-control
 
   

There are additional features to consider before going into production, such as Inaccessible Authentication Bypass, also known as Critical Auth. For instructions on Inaccessible Authentication Bypass, as well as other identity features, see the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1054805

Configuring Monitor Mode on the Switch Port

To configure monitor mode on the switch, add the following TrustSec settings to the access ports:

! Enter the range of interfaces to apply the port configuration to
interface range g2/1-16  
 
   
! Enable pre-authentication open access (non-restricted)
 authentication open
 
   
! Enable port-based Authentication on the Interface
 authentication port-control auto
 
   
! Enable 802.1X Authentication on the Interface
 dot1x pae authenticator
 
   
! Enable MAC-Auth Bypass on the Interface
 mab
 
   
! Enable multiauth Mode
 authentication host-mode multi-auth
 
   
! multiauth Allows a single IP phone and one or more data clients to independently 
authenticate
! on an authorized port.  Each host, or MAC Address, is authenticated individually.

Note This is not an extensive list of the identity feature set, but just those necessary for the enabling of monitor mode for the purposes of this guide.

Verifying Monitor Mode

Now that you have enabled the global settings in Cisco ACS and on the switch, as well as the port-specific configuration to enable TrustSec monitor mode, run the validation steps described in this section to verify proper operation.

This section includes the following topics:

Verifying Access Switch-to-Cisco ACS Server Communication

Verifying Authenticator-to-Authentication Server Communication

Verifying that the Cisco ACS Server Can Communicate with the AD Domain Controller

Verifying Host Network Connectivity and Network Services

Verifying that IP Phones are Working

Verifying that Devices such as IP Cameras Work

Verifying Access Switch-to-Cisco ACS Server Communication

Access the switch console and ping the IP address of your Cisco ACS server.


Note This is an optional step because you should have already validated communications during the Cisco ACS configuration steps earlier.

Verifying Authenticator-to-Authentication Server Communication

This validation exercise verifies that the switch is sending RADIUS messages for those hosts attempting to authenticate to those ports where you have enabled monitor mode. The easiest way to verify this is to check the accounting logs on the Cisco ACS server. Because you are in monitor mode, you should see failed authentication attempts from hosts.

Complete the following steps.

Procedure


Step 1 From within the Cisco ACS web interface, select Monitoring and Reports (see Figure 38).

Figure 38 Monitoring and Reports Screen

Step 2 Select Launch Monitoring & Report Viewer.

Depending on your browser behavior settings, either a new browser window or tab within the existing browser window is launched (see Figure 39).

Figure 39 Monitoring and Reports Dashboard

Step 3 From within the Monitoring and Report view screen, select Authentications - RADIUS - Today from the Favorite Reports section.

You should see failed authentication attempts, as shown in Figure 40. However, remember that because you are in monitor mode and using the Open Access Cisco IOS Software feature, those hosts still have full network access.

Figure 40 Failed Authentication Attempts


Verifying that the Cisco ACS Server Can Communicate with the AD Domain Controller

Access a command-line prompt on the ACS server and ping the IP address of your Microsoft AD Controller.


Note This is an optional step because you should have already validated communications during the Cisco ACS configuration steps earlier.

Verifying Host Network Connectivity and Network Services

Now that you have enabled 802.1X and MAB in Open Mode, once again verify that the hosts connected to these ports still have network access as they did before enabling these TrustSec features.

Complete the following steps.

Procedure


Step 1 Access the switch console perform the following:

conf t
 int range f2/1-16 (or the range of ports you configured)
  shut
  no shut
end

Notice the console messages on your terminal showing 802.1X and MAB authentication attempts and failures as shown in Figure 41. This is normal output. Depending on the authentication order commands, the switch ports first attempt 802.1X and then MAB, because these are the two TrustSec features you enabled.

Figure 41 Console Message Output

However, because you have enabled open mode, connectivity should not be affected at all. To verify this, perform the following steps.

Step 2 To check the port authentication status on the switch for a given port, type the show authentication session command for a specific interface from your console connection to the switch.

For example, show auth session int f2/1. You should notice an output similar to the one shown in Figure 42, indicating that the host failed authentication where the status shows Authz Failed. You should also notice that the port attempted 802.1X and then failed over to MAB, both indicating they failed over.

Figure 42 Sample Status Output

Step 3 To verify that there has been no disruption of network services for the hosts attached to this monitor mode-enabled switch/network, verify that DNS/DHCP is working using the ipconfig and ping commands on one of the PCs.

Step 4 From one of the PCs connected to the port for which you just verified the failed authentication from the previous exercise, access the command line dialogue.

For example, got to Start > Run > CMD and click OK (see Figure 43).

Figure 43 Accessing the Command Prompt

Step 5 From the command prompt, type ipconfig.

Your output should be similar to that shown in Figure 44. Notice the host has an IP address.

Figure 44 Sample ipconfig Output

Step 6 Verify network connectivity by typing ping <ip address>.

For example, type ping 10.200.1.117 for the Microsoft AD Server, or use the IP address you assigned your AD server. Your output should be similar to that shown in Figure 45.

Figure 45 Verifying Network Connectivity

Step 7 Verify that the client PC can still join the AD domain by logging out and logging back into the Windows PC domain (see Figure 46).

Figure 46 Logging into Windows PC Domain

Step 8 Using the Windows Internet Explorer, verify that you can access the web server hosted on your network (see Figure 47).

This example uses a default page on the Windows AD Server.

Figure 47 Accessing the Web Server

Verifying that IP Phones are Working

Check to see that the IP phones have obtained IP addresses and verify that they have a dial tone, indicating they have associated with the Cisco Call Manager.

Verifying that Devices such as IP Cameras Work

To verify that your IP cameras work, complete the following steps.

Procedure


Step 1 Using Internet Explorer, browse to the IP address of one of your Cisco MediaNet IP Video Cameras; for example, http://10.200.10.202.

Step 2 When prompted for login credentials, enter admin for the username and Cisco123 for the password.

After you have authenticated, you see whatever your camera is viewing (see Figure 48). You may need to adjust the focus ring to focus the video.

Figure 48 Accessing the IP Camera


Implementing Low Impact Mode

This section includes the following topics:

Low Impact Mode Overview

Configuring Cisco ACS

Configuring Access Policies

Configuring the Switch

Verifying Low Impact Mode

Low Impact Mode Overview

Low impact mode enables you to incrementally increase the security level by configuring an ingress port ACL on the Open Access TrustSec-enabled port. This provides basic connectivity for guests, contractors, and unauthenticated hosts while selectively limiting access to introduce a higher level of access security.

Additionally, differentiated access can be accommodated based on successful authentication and authorization by combining downloadable ACLs (dACLs) with the Cisco TrustSec-enabled port, which uses 802.1X, MAB, and/or WebAuth.

Combined with dACLs for successfully authenticated users and hosts, you can create profiles to grant or deny access to network resources based on need and your security policies, as shown in Table 4. This enables differentiated services while still maintaining secure network connectivity for legacy hosts.

Table 4 Profiles

Low Impact or Selective Access Mode
Profile Name
Description
VLAN
dACL

Phone-Authz

Policy to map IP phones to voice VLAN

VOICE

CorpAssetACL

Managed-Asset-Authz

Policy to be applied to managed assets

n/a

CorpAssetACL

MediaNet-Authz

Policy for Cisco MediaNet endpoints

n/a

CorpAssetACL

CorpUser-Authz

Policy for valid AD authenticated Users

n/a

CorpUserACL

Contractor-Authz

Policy for short-term contractors

n/a

ContractorACL


Configuring Cisco ACS

This section includes the following topics:

Configuring Active Directory Groups

Configuring ACS Policy Elements

Configuring Authorization Profiles

Configuring Active Directory Groups

Before configuring policies, you need to select some Active Directory groups so they are available for subsequent steps.

Complete the following steps.

Procedure


Step 1 Go to Users and Identity Store > External Identity Stores > Active Directory (see Figure 49).

Figure 49 Active Directory

Step 2 Select the Directory Groups tab (see Figure 50).

Figure 50 Active Directory—Directory Groups

Step 3 In this window, do the following:

a. Click Select.

b. Scroll down and select /Users/Domain Computers and /Users/Domain Users (see Figure 51).

Figure 51 Selecting Group Names


Note Your domain name will most likely be different than demo.local; for example, yourcompany.com.

c. Click OK.

The window shown in Figure 52 appears, showing the Directory Groups you selected.

Figure 52 Selected Directory Groups

Step 4 Click Save Changes.


Configuring ACS Policy Elements

This section describes how to create and/or modify the three ACS policy components listed in Table 5, which are linked together for the authorization policies.

Table 5 Three ACS Policy Components

ACS Component Type
Section within the ACS GUI
Comments

Downloadable ACLs (dACL)

Policy Elements > Authorizations and Permission > Named Permission Objects

Named ACLs that can be associated with different authorization profiles

Authorization profiles

Access Policies > Access Services > Named Access Service

Named profiles that allow you to provide different permission or policies to different groups

Authorization profiles

Policy Elements > Authorizations and Permission > Network Access

These authorization profiles are created within the access service; for example, 802.1X, MAB, and so on


This is an extensible approach that allows you to differentiate various types of request per access service, and to create and apply different policy based on groups.

The three dACLs listed in Table 6 will be used in the authorization profiles.


Note These are only sample ACLs. Consult with the InfoSec or Security staff of your organization to determine what is appropriate for your requirements.

Table 6 dACLs

Named dACL
ACE Permissions

CorpAssetACL

permit icmp any any log
permit ip any any

CorpUserACL

permit icmp any any log
permit ip any any

ContractorACL

remark Allow DHCP
  permit udp any eq bootpc any eq bootps
remark Allow DNS
  permit udp any any eq domain
remark Allow access to internet
  permit tcp any any eq www
  permit tcp any any eq 443
remark Allow IPSEC VPN
  permit udp any any eq 62515
  permit udp any any eq isakmp
  permit udp any any eq 10000
  permit udp any any eq 4500
  permit esp any any
  permit ah any any

Complete the following steps.

Procedure


Step 1 To create the CorpAssetACL dACL, select Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs from the ACS web interface (see Figure 53).

Figure 53 Downloadable Access Control Lists

Step 2 Select Create.

Step 3 In the window shown in Figure 54, enter the name, description, and the ACL permissions from Table 6 for the CorpAssetACL dACL.

Figure 54 Creating a dACL

Step 4 Click Submit.

Step 5 Repeat the above steps to enter the CorpUserACL and ContractorACL dACLs.

After you have created all three dACLs, you should see the information shown in Figure 55 under the Downloadable ACLs section.

Figure 55 Three dACLs


Configuring Authorization Profiles

For low impact mode, create the five authorization profiles listed in Table 7. These profiles will be associated with identity groups and access services.

Table 7 Five Authorization Profiles

Profile Name
Description
VLAN
dACL

Phone-Authz

Policy to map IP phones to Voice VLAN

n/a

CorpAssetACL

Managed-Asset-Authz

Policy to be applied to Managed Assets

n/a

CorpAssetACL

MediaNet-Authz

Policy for Cisco MediaNet Endpoints

n/a

CorpAssetACL

CorpUser-Authz

Policy for Valid AD Authenticated Users

n/a

CorpUserACL

Contractor-Authz

Policy for short term contractors

n/a

ContractorACL


To create the five authorization profiles, complete the following steps.

Procedure


Step 1 Go to Policy Elements > Authorizations and Permissions > Network Access > Authorization Profiles and select Create.

Step 2 In the screen shown in Figure 56, type Phone-Authz in the Name field and enter an appropriate description.

Figure 56 Authorization Profiles—General Tab

Step 3 Select the Common Tasks tab (see Figure 57).

Figure 57 Authorization Profiles—Common Tasks Tab

Step 4 Do the following:

a. For Downloadable ACL Name, select Static.

b. From the Value drop-down menu, select CorpAssetACL.

c. In the Voice VLAN section, select Static from the Permission to Join drop-down menu.

Step 5 Click the RADIUS Attributes tab.

Step 6 In the RADIUS Attributes tab, accept the defaults and click Submit.

Step 7 Create the Managed-Asset-Authz authorization profile by performing the above steps, using the information shown in Figure 58 and Figure 59.

Figure 58 Authorization Profiles—General Tab

Figure 59 Authorization Profiles—Common Tab

Step 8 Repeat the above steps to create the MediaNet-Authz profile.

Step 9 Repeat the above steps to create the CorpUser-Authz profile, using the information shown in Figure 60 and Figure 61.

In the Value drop-down menu in the ACLS section, select CorpUserACL.

Figure 60 Authorization Profiles—General Tab

Figure 61 Authorization Profiles—Common Tasks Tab

Step 10 Repeat the above steps to create the Contractor Authz profile, using the information shown in Figure 62 and Figure 63.

In the Value drop-down menu in the ACLS section, select ContractorACL.

Figure 62 Authorization Profiles—General Tab

Figure 63 Authorization Profiles—Common Tasks Tab

Step 11 After you have created all the sample profiles, you should see the information shown in Figure 64 in your Authorization Profiles section.

Figure 64 Authorization Profiles


Configuring Access Policies

This section includes the following topics:

Configuring User and Identity Stores

Adding Authorization Rules for 802.1X Service

Adding Authorization Rules for MAB Service

Configuring User and Identity Stores

Table 8 lists the identity groups used in this section.

Table 8 Identity Groups

Group
Description
Comment

IP phones

Corporate managed IP phones

Added previously in monitor mode

MACHINES

Corporate managed machines such as printers, cameras, and so on

Added previously in monitor mode

Contractor

Contractors

New group to be added


Adding a Contractor Identity Group

To create the Contractor identity group, complete the following steps.

Procedure


Step 1 Go to Users and Identity Stores > Identity Groups and select Create.

Step 2 Type in the group and description information listed for the Contractor identity group in Table 8.

Step 3 Click Submit.


Creating Internal Identity Stores—Host for MAB

Next you will create entries for managed host devices and assign them to identity groups. These entries are used to provide authentication and authorization using MAB.

The information listed in Table 9 is provided as an example.

Table 9 Identity Group Information

MAC Address
Description
Identity Group

00-18-BA-C7-BC-EE

Cisco 7960 IP Phone (non-802.1X capable)

IP Phone

00-18-BA-C7-BC-FA

Cisco 7960 IP Phone (non-802.1X capable)

IP Phone

00-1D-E5-EB-E5-EF

Cisco IP Video Camera

MACHINE

00-1D-E5-EB-F9-00

Cisco IP Video Camera

MACHINE

00-21-86-58-DB-6B

Contractor PC (Non-managed host)

Contractor



Note The Cisco 7961 Phone used in the example described in this guide is 802.1X-capable. Therefore, you do not need to enter it in the host database. It is added in the Users database in the next section.

Use Table 10 to record your own MAC addresses to accommodate the use cases described in this guide.

Table 10 MAC Address Reference List

MAC Address
Description
Identity Group
 

Cisco IP Phone

IP Phone

 

Cisco IP Phone

IP Phone

 

Cisco IP Camera (or other non-dot1x host)

MACHINE

 

Cisco IP Camera (or other non-dot1x host)

MACHINE

 

Contractor PC

CONTRACTOR


To create entries for managed host devices and assign them to identity groups, complete the following steps.

Procedure


Step 1 Go to User and Identity Stores > Internal Identity Stores > Hosts (see Figure 65).

Figure 65 Users and Identity Stores—Hosts

Step 2 In the Identity Groups screen, select Create.

Step 3 In the screen shown in Figure 66, do the following:

a. Type the MAC address and description, using the information from Table 9.

b. Click the Select button for Identity Group selection and select the appropriate group.

c. Click OK, then click Submit.

Figure 66 Users and Identity Stores—Create

Step 4 Repeat the above steps to enter the other MAC addresses listed in Table 9.

After you have entered all the MAC addresses for your pilot, your host database should look like the screen shown in Figure 67.

Figure 67 Internal Hosts



Note Cisco offers products that can automate the process of building a database of profiled MAC addresses. The installation and configuration of those products are covered in another document. Additionally, if you already have a database of known valid MAC addresses from an asset management system, those may be imported into the internal database of ACS. Consult the ACS User Guide for more information. For more information on Cisco ACS 5.0, see the following URL: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/ACS_user_guide.html

Configuring Internal Identity Stores—Users for 802.1X

Next you will create entries for managed host devices and assign them to identity groups. These are used to provide authentication and authorization, using 802.1X for identities that are not maintained in your external identity management (IdM) system.


Note This internal database can be used to create accounts for 802.1X-capable phones, administration, bootstrapping, troubleshooting, and other uses without having to add a user into your official IdM system; for example, Microsoft AD. Where possible, the use of existing identity repositories such as AD is recommended as a best practice. However, certain use cases may require the use of the internal database within ACS. Follow the security policies of your company in this matter.

The information shown in Table 11 is provided as an example.

Table 11 Managed Host Device Information

Host ID
Description
MD5 Password
Identity Group

CP-7961G-SEP001BD585391E

Cisco 7961G 802.1X-capable IP Phone

password

IP Phones


Use Table 12 to record your own MAC addresses to accommodate the use cases described in this guide.

Table 12 Managed Host Reference List

Host ID
Description
MD5 Password
Identity Group
       
       
       
       

To create entries for managed host devices and assign them to identity groups, complete the following steps.

Procedure


Step 1 Go to User and Identity Stores > Internal Identity Stores > Users (see Figure 68).

Figure 68 Internal Users

Step 2 Select Create.

Step 3 In the screen shown in Figure 69, do the following:

a. Type the UserID; for example, CP-7961G-SEP001BD585391E

b. Type an appropriate description; for example, Cisco 7961G 802.1X Capable IP Phone.

c. Type a password; for example, pa$$Word4.

This password must match the one you configured on your host. In this case, pa$$Word4 is used for the password on the Cisco 7961G IP Phone.

Figure 69 Creating an Entry

Step 4 For Identity Group, click Select and select the appropriate group; for example, All Groups:IP Phones (see Figure 70). Then click OK.

Figure 70 Identity Groups

Step 5 Click Submit.

You should now see your entry in the Internal Users database, as shown in Figure 71.

Figure 71 Internal Users Database


Adding Authorization Rules for 802.1X Service

For low impact mode, you will now add new authorization rules to allow for differentiated services between the various groups or classes of users and hosts.

Adding an 802.1X-Capable Phones Authorization Rule

Complete the following steps.

Procedure


Step 1 Go to Access Policies > Access Services > 802.1X > Authorization (see Figure 72).

Figure 72 Network Access Authorization Policy

Step 2 To set up an authorization policy for 802.1X-capable IP phones, click Create.

Step 3 In the screen shown in Figure 73, do the following:

a. For the Name, enter a new name; for example, Match-1X-Phone-Authz.

b. Select the Compound Condition checkbox.

c. From the Dictionary drop-down menu, select System.

Figure 73 Creating an Authorization Policy

d. For Attribute, click Select and select IdentityGroup (see Figure 74).

Figure 74 Attribute List

e. Click OK.

f. In the Operator drop-down menu, make sure that In is selected.

g. Click Select to select IP Phones from the Network Device Groups list (see Figure 75).

Figure 75 Network Device Groups

Step 4 Select Add.

Step 5 In the Results/Authorization Profiles section, click Select.

Step 6 Select the previously created Phone-Authz profile (see Figure 76).

Figure 76 Authorization Profiles List

Step 7 Click OK and then click OK again.

Click Save Changes.


Adding 802.1X-CorpUserRule

Complete the following steps.

Procedure


Step 1 In the screen shown in Figure 72, click Create.

Step 2 In the screen shown in Figure 77, do the following:

a. For the Name, enter a new name; for example, 802.1X-CorpUserRule.

b. Select the Compound Condition checkbox.

c. From the Dictionary drop-down menu, select AD-AD1.

d. From the attribute list, press Select to select ExternalGroups.

e. Click OK.

f. In the Operator drop-down menu, make sure that contains any is selected.

Figure 77 Creating an Authorization Policy

Step 3 Click Select and select /Users/Domain Users from the Network Device Groups screen (see Figure 78).

Figure 78 Network Device Groups

Step 4 Click OK.

Step 5 Click Add V (see Figure 79).

Figure 79 Clicking Add V

Step 6 Scroll down to the Results/Authorization Profiles section and click Select.

Step 7 Select the previously created CorpUser-Authz profile (see Figure 80).

Figure 80 Authorization Profiles List

Step 8 Click OK and then OK again.

Step 9 Click Save Changes.

Now you should see both the Match-1X-Phone-Authz and the 802.1X-CorpUserRules as authorizations for 802.1X (see Figure 81).

Figure 81 Network Access Authorization Policy


For now, this is all you will create for 802.1X in low impact mode. If your organization has more types of wired 802.1X devices, you may want to try adding more.

As demonstrated in the previous exercises, you used the previously created dACLs and authorization profiles in creating these specific authorization rules for 802.1X. Next, you will do a similar configuration of authorization rules for MAB.

Adding Authorization Rules for MAB Service

MAB IP Phones Rule

In this section you will set up an identity source and authorization rule to match IP phones in the MAB access service. This ensures that the MAB authenticated phones are put into the voice VLAN for proper access. All successfully authenticated non-802.1X phones obtain the Phone-Authz profile, which allows full access to the voice VLAN with no ACL restrictions; that is, permit ip any any.

Complete the following steps.

Procedure


Step 1 From the MAB Access Service section, select Identity (see the left-hand side of Figure 82).

Step 2 Press Select.

Step 3 In the screen shown in the right-hand side of Figure 82, do the following:

a. Select Internal Hosts.

b. Click OK.

c. Click Submit.

Figure 82 Selecting Internal Hosts

Step 4 From the MAB Access Service section, select Authorization and click Create.

Step 5 In the screen shown in Figure 83, do the following:

a. For the name, enter an appropriate name; for example, MAB-Phone-Authz.

b. Check the Compound Condition checkbox.

c. From the Dictionary drop-down menu, select System and then click Select.

Figure 83 Creating an Authorization Policy

Step 6 From the Attribute List (see Figure 84), select Identity Group and click OK.

Figure 84 Attributes List

Step 7 In the Operator drop-down menu, make sure that In is selected and click Select.

Step 8 From the Network Device Groups list, select IP Phones (see Figure 85).

Figure 85 Network Device Groups

Step 9 Click Add.

Step 10 In the Results/Authorization Profiles section, click Select and select the previously created Phone-Authz profile (see Figure 86).

Figure 86 Authorization Profiles List

Step 11 Click OK and then click OK again.

Step 12 Click Save Changes.


Adding a MAB Contractor Rule

To add a MAB contractor rule, complete the following steps.

Procedure


Step 1 From the MAB Access Service section, select Authorization and click Create.

Step 2 In the window shown in Figure 87, do the following:

a. For the Name, enter an appropriate name; for example, MAB-Contractor-Authz.

b. Select Compound Condition

c. From the Dictionary drop-down menu, select System and then press the Select button.

Figure 87 Creating an Authorization Policy

Step 3 From the Attribute List (see Figure 88), select Identity Group and then click OK.

Figure 88 Attribute List

Step 4 In the Operator drop-down menu, make sure In is selected.

Step 5 From the Network Device Groups list (see Figure 89), click Select to select Contractor.

Figure 89 Network Device Groups

Step 6 Click Add.

Step 7 In the Results/Authorization Profiles section, click Select and select the previously created Contractor-Authz profile (see Figure 90).

Figure 90 Authorization Profiles List

Step 8 Click OK and then click OK again.

Step 9 Click Save Changes.


Adding a MAB MediaNet Rule

To add a MAB MediaNet rule, complete the following steps.

Procedure


Step 1 From the MAB Access Service section, select Authorization and click Create.

Step 2 In the window shown in Figure 91, do the following:

a. For the Name, enter an appropriate name; for example, MAB-MediaNet-Authz.

b. Select Compound Condition.

c. From the Dictionary drop-down menu, select System and then press the Select button.

Figure 91 Creating an Authorization Policy

d. From the Attribute List (see Figure 92) select Identity Group and click OK.

Figure 92 Attribute List

Step 3 In the Operator drop-down menu, make sure In is selected and click Select.

Step 4 From the Network Device Groups list (see Figure 93), select MACHINES.

Figure 93 Network Device Groups

Step 5 Click Add.

Step 6 In the Results/Authorization Profiles section, click Select button and select the previously created MediaNet-Authz profile (see Figure 94).

Figure 94 Authorization Profiles List

Step 7 Click OK and then click OK again.

Step 8 Click Save Changes.

You should have now three authorization rules for MAB, as shown in Figure 95:

MAB-Phone-Authz

MAB-Contractor-Authz

MAB-MediaNet-Authz

These apply differentiated authorization policy per group type.

Figure 95 MAB Authorization Policies


Configuring the Switch

This section includes the following topics:

Global Switch Default ACLs

Switch Port Configuration

Global Switch Default ACLs

Apply the following pre-authentication ACL to be applied to the TrustSec-enabled ports:

ip access-list extended PRE-AUTH
 remark Allow DHCP
  permit udp any eq bootpc any eq bootps
 remark Allow DNS
  permit udp any any eq domain
 remark Allow Websense
  permit tcp any any eq 15871
 remark Deny access to HO
  deny ip any 10.0.0.0 0.255.255.255
  deny ip any 192.168.0.0 0.0.255.255
  deny ip any 172.16.0.0 0.15.255.255
 remark Allow access to internet
  permit tcp any any eq www
  permit tcp any any eq 443
 
   

To enable dACLs, you must first configure your access switch to allow communications using the cisco-av-pair attribute with the value aaa:event=acl-download. To enable this functionality, enter the following command in the global configuration of the switch. Failure to add this command results in failed authentication/authorization requests.

conf t
 radius-server vsa send
 end
 
   

Switch Port Configuration

Access your switch console and add ip access-group PRE-AUTH to the TrustSec-enabled ports you have configured for this exercise:

interface range fa2/1-16
  shut
  switchport access vlan 210
  switchport voice vlan 211
  switchport mode access 
  ip access-group PRE-AUTH in
  authentication host-mode multi-domain 
  authentication open 
  authentication port-control auto
  mab
  dot1x pae authenticator
  ip verify source vlan dhcp-snooping
  no shut
 
   

You are adding only one new line to the configuration (ip access-group PRE-AUTH in) and modifying the host-mode from multiauth to multidomain, which restricts one host in the voice VLAN and one host in the data VLAN. You can use the above configuration as a reference to the other configuration items that should be enabled on the low impact identity-enabled ports.

Configuring the Endpoint Host

For the purposes of this TrustSec phased deployment demonstration, the 802.1X client configuration is limited to Windows XP, the Cisco Secure Services Client (SSC), and PEAP as the authentication protocol.

Before installing Cisco SSC on your Windows XP PC, make sure you do not have any other 802.1X supplicant installed or configured. If you do, remove the supplicant and reboot before starting the next procedure.

To configure the endpoint host, complete the following steps.

Procedure


Step 1 Download the latest version of Cisco's SSC (v5.1.1 or later) from http://tools.cisco.com/support/downloads/ to your desktop on the Windows XP machine.

You need both of the following installation applications:

Cisco_SSC-XP2K_5.1.1.3.zip—Required to install the supplicant on the host PC.

Cisco_SSCMgmtUtil_5.1.1.4.zip—Required on by the Administrator to create profiles.

Step 2 Unzip the archive, and run the Cisco SSC Installer (see Figure 96).

Figure 96 Cisco SSC Installer

Step 3 Accept the terms and default installation directory (see Figure 97) and click Install.

Figure 97 Installation Directory

The two screens shown in Figure 98 show the installation progress

Figure 98 Installation Progress

Step 4 When the installation is complete, click Finish.

Step 5 Select Yes to reboot.

You are required to reboot.

Figure 99 Reboot Screen

Step 6 When the Windows XP PC has rebooted, log back in as the Administrator.

Step 7 To configure the client for network access, run the sscManagementUtility.exe file.

Step 8 Click Create New Configuration Profile > and select Cisco SSC 5.0 > (see Figure 100).

Figure 100 Welcome and Select Cisco SSC Version Screens

Step 9 In the Client Policy screen (see Figure 101), do the following:

a. Paste in your license key.

b. Select the Attempt connection before user logon radial button.

c. Check the Allow Wired (802.3) Media checkbox.

d. Click Next.

Step 10 In the Authentication Policy screen (see Figure 101) select all of the Association and Authentication modes and click Next.

Figure 101 Client Policy and Authentication Policy Screens

Step 11 To create a network profile for each network to which you connect, click Add Network.

Step 12 In the Network Media screen (see Figure 102), accept the default and click Next.

Figure 102 Network Media and Wired Network Settings Screens

Step 13 In the Wired Network Settings screen (see Figure 102), do the following:

a. Enter a name for this network; for example, Demo.local Wired Network.

b. Change the Connection Timeout to 30.

c. Select Authenticating Network.

d. Click Next.

Step 14 In the Connection Settings screen (see Figure 103), set the Connection Settings as shown and click Next.

Figure 103 Connection Settings and Network Connection Type Screens

Step 15 In the Network Connection Type screen (see Figure 103), select Machine and User Connection and click Next.

Step 16 In the Machine Authentication (EAP) Method screen (see Figure 104), select EAP PEAP and click the Configure button.

Figure 104 Machine Authentication (EAP) Method and EAP PEAP Settings Screens

Step 17 In the EAP PEAP Settings screen (see Figure 104), for the EAP PEAP setting, check the boxes as shown, click OK, and click Next.

Step 18 In the Machine Credentials screen (see Figure 105), select Use Machine Credentials radial box and click Next.

Figure 105 Machine Credentials and User Authentication (EAP) Method Screens

Step 19 In the User Authentication (EAP) Method screen (see Figure 105), select the EAP PEAP radio box and then click Configure.

Step 20 Select the check boxes and radio buttons as shown in Figure 106 for the EAP PEAP settings, click OK, and then click Next.

Figure 106 EAP PEAP Settings and User Credentials Screens

Step 21 In the User Credentials screen (see Figure 106), accept Use Single Sign On Credentials and click Finish.

Step 22 Click Next to validate the configuration (see Figure 107).

Figure 107 Networks and Validation Screens

Step 23 Click Finish and you are finished with this PC.


Repeat the SCC and Management Utility configuration for other PCs that you are using in this demonstration.


Note There is a way to create an administrative install MSI file with preconfigured settings for a mass deployment. For more information, see the Cisco SSC documentation at the following URL: http://www.cisco.com/en/US/products/ps7034/index.html.

Verifying Low Impact Mode

This section includes the following topics:

Verifying Host Network Connectivity and Network Services

Verifying 802.1X-Capable Managed Assets

Verifying Non-802.1X-Capable Managed Assets


Note Global AAA/RADIUS configuration verification should not be necessary because this was validated in the previous sections.

Verifying Host Network Connectivity and Network Services

A quick way to gain insight into the IP addresses associated with the ports and MAC addresses is to run the show ip dhcp snooping binding Cisco IOS Software CLI switch command (see Figure 108).

Figure 108 show ip dhcp snooping binding Output

Comparing this with the original lab diagram shown in Figure 1, you can see that all of the devices are connected and have an IP address. You also see which VLAN they are in and their MAC addresses. The only exception is the rogue AP on port f2/14.

Another useful IOS show command is show authentication sessions. This displays the state of all TrustSec-enabled switch ports on that switch. Figure 109 and Figure 110 show port-specific derivatives of this command.

Figure 109 show authenticated sessions Output

Figure 110 show cdp neighbors Output

Another quick summary view is to look at the Authentication and Authorization logs within ACS Reporting and Monitoring (see Figure 111).

Figure 111 Authentication and Authorization Logs (1)

The screenshot in Figure 112 is the same list of hosts, which has been scrolled to the right to show the rest of the data available.

Figure 112 Authentication and Authorization Logs (2)

As shown, all of the administratively allowed devices have successfully authenticated and received the authorization policy as prescribed. Note that the host with the MAC address 00-06-25-04-C2-95 failed authentication. By having this log, we know that someone has plugged in a rogue device on switch id-4503-2 on port 50214 (i.e, F2/14). Per policy in Low Impact mode, this device is allowed to gain an IP address and access limited resources per the PRE-AUTH ACL. However, this allows you to also send someone out to determine what the device is and whether it should be on your network.

Verifying 802.1X-Capable Managed Assets

802.1X Cisco IP Phone

This simple verification step verifies that the phone has an IP address and has connected to the Call Manager. One easy test is to pick up the phone and see whether it has dial tone. If it does, chances are everything is working just fine.

For further verification look at the switch port status, as shown in Figure 113.

Figure 113 Switch Port Status

Figure 113 shows that the phone successfully authenticated via 802.1X and was placed in the VOICE VLAN.

Windows XP and Cisco SSC 802.1X Supplicant/Client

Complete the following steps.

Procedure


Step 1 From the Windows XP interface, double-click the SSC icon (that is, the round green icon) in the tray bar (see Figure 114).

Figure 114 SSC Icon in the Tray Bar

This loads the SSC dialog window, showing the status of your connection (see Figure 115).

Figure 115 Connection Status

Step 2 For further verification, look at the switch port status (see Figure 116).

Figure 116 Switch Port Status


Verifying Non-802.1X-Capable Managed Assets

Cisco IP Phone (no 802.1X Supplicant)

Verify that the phone has dial tone and check the authentication status of the switch port. Two non-802.1X phones are on ports F2/12 and F2/13. You can also determine where they are connected by using the following Cisco IOS Software CLI commands:

show cdp neighbors

show ip dhcp snooping binding

show authentication session

You can also check the AAA logs from ACS.

Figure 117 shows the output for show authentication sessions interface f2/12 & f2/13.

Figure 117 show authentication sessions interface f2/12 & f2/13 Output

As shown in the output from these Cisco IOS show commands, two devices are authenticated on each port: a phone and a PC. The phones are placed in the VOICE VLAN and the PCs in the DATA VLAN.

For port F2/12, the phone and the PC are both authenticated via MAB. On port F2/13, the phone is authenticated via MAB and the PC is authenticated via 802.1X. Both ports have the same configuration. This is the power of FlexAuth combined with multiauth.

You can also repeat the validation steps performed in the "Verifying Monitor Mode" section for a complete validation.

Implementing High Security Mode

This section includes the following topics:

High Security Mode Overview

Modifying Authorization Profiles

Verifying Global Switch VLAN Definition

Configuring the Switch Port

Verifying High Security Mode

High Security Mode Overview

Low impact mode may fulfill initial access security requirements for many organizations. For those that need stricter access controls may choose to deploy high security mode.

High security mode returns to the traditional closed mode of 802.1X, in conjunction with dynamic VLAN assignment for differentiated access. Although high security mode represents a more traditional deployment model, the new Cisco IOS FlexAuth feature set can be used to create a flexible, adaptable deployment.

FlexAuth allows you to configure secondary authentication methods to 802.1X, such as MAB and/or Web Authentication for guest access. Additionally, FlexAuth allows you to re-order the sequence of authentication. For example, you can try MAB before 802.1X.

Because you are moving from monitor or low impact mode, the base infrastructure configuration is already in place. Here you need to modify only the authorization profiles and switch port configurations.

Modifying Authorization Profiles

For high security mode, you are going to modify the five existing authorization profiles. The authorization is changed from dACLs to VLANs.

Table 13 lists the authorization profiles for all three modes.

Table 13 Authorization Profiles

Profile Name
Description
VLAN
dACL
Monitor Mode

No Authorization Profile Required

n/a

n/a

n/a

Low Impact or Selective Access Mode

Phone-Authz

Policy to map IP phones to Voice VLAN

n/a

CorpAssetACL

Managed-Asset-Authz

Policy to be applied to managed assets

n/a

CorpAssetACL

MediaNet-Authz

Policy for Cisco MediaNet endpoints

n/a

CorpAssetACL

CorpUser-Authz

Policy for valid AD authenticated users

n/a

CorpUserACL

Contractor-Authz

Policy for short-term contractors

n/a

ContractorACL

High Security Mode

Phone-Authz

Policy to map IP phones to Voice VLAN

N/A

n/a

Managed-Asset-Authz

Policy to be applied to managed assets

MACHINE

n/a

MediaNet-Authz

Policy for Cisco MediaNet endpoints

MEDIANET

n/a

CorpUser-Authz

Policy for valid AD authenticated users

DATA

n/a

Contractor-Authz

Policy for short-term contractors

CONTRACTOR

n/a


To modify existing authorization profiles, first access the ACS web interface and go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles (see Figure 118).

Figure 118 Authorization Profiles Screen

From here, modify the existing profiles by completing the following steps.

Modifying the Phone-Authz Profile


Step 1 Select the Phone-Authz profile (see Figure 119).

Figure 119 Modifying the Phone-Authz Profile

Step 2 Select the Common Tasks tab.

Step 3 Under the ACLS section, from the Downloadable ACL Name drop-down menu, change static to Not in Use (see Figure 120).

Figure 120 Authorization Profiles—Common Tasks Tab

Step 4 Click Submit to finish.


Repeat these steps for the rest of the Authz profiles created, using Table 13 to map the appropriate VLANs to these profiles.

Modifying the Managed-Asset-Authz Profile


Step 1 Select the Managed-Asset-Authz profile (see Figure 121).

Figure 121 Modifying Managed-Asset-Authz Profile

Step 2 Select the Common Tasks tab (see Figure 122) and do the following:

a. For the VLAN ID/Name drop-down option, select static.

b. In the Value input field, type MACHINE.

c. Under the ACLS section, from the Downloadable ACL Name drop-down menu, change static to Not in Use.

Figure 122 Authorization Profiles—Common Tasks Tab

Step 3 Click Submit.


Modifying the MediaNet-Authz Profile


Step 1 Select the MediaNet-Authz profile (see Figure 123).

Figure 123 Modifying the MediaNet-Authz Profile

Step 2 Select the Common Tasks tab (see Figure 124) and do the following:

a. For the VLAN ID/Name drop-down option, select static.

b. In the Value input field, type MEDIANET.

c. Under the ACLS section, from the Downloadable ACL Name drop-down menu, change static to Not in Use.

Figure 124 Authorization Profiles—Common Tasks Tab

Step 3 Click Submit.


Modifying the CorpUser-Authz Profile


Step 1 Select the CorpUser-Authz profile (see Figure 125).

Figure 125 Modifying the CorpUser-Authz Profile

Step 2 Select the Common Tasks tab (see Figure 126) and do the following:

a. For the VLAN ID/Name drop-down option, select static.

b. In the Value input field, type DATA.

c. Under the ACLS section, from the Downloadable ACL Name drop-down menu, change static to Not in Use.

Figure 126 Authorization Profiles—Common Tasks Tab

Step 3 Click Submit.


Modifying the Contractor Authorization Profile


Step 1 Select the Contractor-Authz profile (see Figure 127).

Figure 127 Modifying the Contractor-Authz Profile

Select the Common Tasks tab (see Figure 128) and do the following:

a. For the VLAN ID/Name drop-down option, select static.

b. In the Value input field, type CONTRACTOR.

c. Under the ACLS section, from the Downloadable ACL Name drop-down menu, change static to Not in Use.

Figure 128 Authorization Profiles—Common Tasks Tab

Step 2 Click Submit.


Verifying Global Switch VLAN Definition

Verify that the VLANs listed in Table 14 are enabled on the TrustSec-enabled switch.

Table 14 VLANs

VLAN NAME
VLAN ID
IP
Description
Monitor Mode

DATA

210

10.200.10.x/24

All non-Voice

VOICE

211

10.200.11.x/24

Voice Only

High Security Mode (Above plus those listed below)

MACHINES

212

10.200.12.x/24

Managed Host/Assets

GUEST

213

10.200.13.x/24

Non-802.1X responsive Host

CONTRACTOR

214

10.200.14.x/24

Reserved for Contractors

AUTHFAIL

215

10.200.15.x/24

Failed 802.1X attempts


Figure 129 shows the output for the show run | begin vlan internal command.

Figure 129 show run | begin vlan internal Output

Configuring the Switch Port

Access your switch console and remove ip access-group PRE-AUTH in and authentication open on all of the TrustSec-enabled ports you have configured in the previous monitor and low impact modes:

interface range fa2/1-16
  shut
  switchport access vlan 210
  switchport voice vlan 211
  switchport mode access 
 
   
  ip access-group PRE-AUTH in <- Remove this entry
  no ip access group PRE-AUTH in
  authentication open <- Remove this entry
  no authentication open
 
   
  authentication host-mode multi-domain 
  authentication port-control auto
  mab
  dot1x pae authenticator
  ip verify source vlan dhcp-snooping
  no shut
 
   

When complete, make sure you bounce the affected interfaces by using the shut and then the no shut commands.

Verifying High Security Mode

This section includes the following topics:

Verifying Host Network Connectivity and Network Services

Verifying 802.1X-Capable Managed Assets

Verifying Non-802.1X-Capable Managed Assets


Note Global AAA/RADIUS configuration verification should not be necessary because this was validated in the previous sections.

Verifying Host Network Connectivity and Network Services

The show authentication sessions Cisco IOS command is useful to display the state of all TrustSec-enabled switch ports on that switch. Figure 130 shows a port-specific derivative of this command.

Figure 130 show authenticated sessions Output

You can also see the authentication status for a specific port; for example, show authentication session int f2/1 (see Figure 131).

Figure 131 show authentication session int f2/1 Output

For another quick summary view, look at the Authentication and Authorization logs within ACS Reporting and Monitoring (see Figure 132).

Figure 132 Authentication and Authorization Logs (1)

The screenshot shown in Figure 133 is the same list of hosts, which has been scrolled to the right to show the rest of the data available.

Figure 133 Authentication and Authorization Logs (2)

As shown, all the administratively allowed devices have successfully authenticated and received the authorization policy as prescribed. Note that the host with the MAC address 00-06-25-04-C2-95 failed authentication. By having this log, you know that someone has plugged in a rogue device on switch id-4503-2 on port 50214 (that is, F2/14). Per policy in high security mode, this device is not allowed to gain access to the network.

Verifying 802.1X-Capable Managed Assets

802.1X Cisco IP Phone

In this simple verification step, verify that the phone has an IP address and has connected to the Call Manager. One easy test is to pick up the phone and see whether it has dial tone. If it does, chances are everything is working just fine.

For further verification, you can look at the switch port status (see Figure 134).

Figure 134 Switch Port Status

As shown, the phone successfully authenticated via 802.1X, was placed in the VOICE VLAN, and the host mode is multidomain.

Windows XP and Cisco SSC 802.1X Supplicant/Client


Step 1 From the Windows XP interface, double-click the SSC icon in the tray bar.

Figure 135 Cisco SSC Icon in the Tray Bar

This loads the SSC dialog window showing the status of your connection (see Figure 136).

Figure 136 Connection Status

Step 2 For further verification, look at the switch port status (see Figure 137).

Figure 137 Switch Port Status


Verifying Non-802.1X-Capable Managed Assets

Cisco IP Phone (no 802.1X Supplicant)

Verify dial tone and look at the authentication status of the switch port. From before, two non-802.1X-capable phones are on ports F2/12 and F2/13. You can also determine where they are connected from the following Cisco IOS commands:

show cdp neighbors

show ip dhcp snooping binding

show authentication session

You can also check the AAA logs from ACS.

Figure 138 shows the output for the show authentication sessions interface f2/12 & f2/13 command.

Figure 138 show authentication sessions interface f2/12 and f2/13 Output

As shown from the output of these Cisco IOS show commands, two devices are authenticated on each port: a phone and a PC. The phones are placed in the VOICE domain and the PCs in the DATA domain.

For port F2/12, the phone and the PC are both authenticated via MAB. On port F2/13, the phone is authenticated via MAB and the PC is authenticated via 802.1X. Both ports have the same configuration. This is the power of FlexAuth and multiauth.

Furthermore, using the show vlan command, you can see that interface f2/12 is in both the VOICE and CONTRACTOR VLANs (see Figure 139).

Figure 139 show vlan Output

The phone that is in the VOICE domain has been placed in the VOICE VLAN and the PC that is in the DATA domain is in the CONTRACTOR VLAN.

You can also repeat the validation steps performed in the "Verifying Monitor Mode" section for a complete validation.

Creating a Certificate for a Windows XP Browser

To create a certificate for your Windows XP browser, complete the following steps.

Procedure

Step 3 Access your CA via your browser; for example, http://demo.local/certsrv/ (see Figure 140).

Figure 140 Microsoft Certificate Services Screen

Step 4 Select Download a CA Certificate, Certificate Chain, or CRL (see Figure 141).

Figure 141 Selecting a Certificate to Download

Step 5 Download a CA Certificate (see Figure 142, Figure 143, Figure 144, Figure 145, and Figure 146).


Note ACS supports only the DER certificate format. Save the certificate (demo-local-ca-cert.cer) for installation into your browser or applications.

Figure 142 Opening the Certificate

Figure 143 Certificate Import Wizard and Select Certificate Store Screens

Figure 144 Completing the Certificate Import Wizard Screen

Figure 145 Warning Message

Figure 146 Success Message

References

TrustSec 1.99 Documents

Wired 802.1X Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

IP Telephony for 802.1X Design Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html

MAC Authentication Bypass Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/MAB/MAB_Dep_Guide.html

TrustSec Phased Deployment Configuration Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Phased_Deploy/Phased_Dep_Guide.html

Local WebAuth Deployment Guide— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html

Scenario-Based TrustSec Deployments Application Note— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Scenario_based_AppNote/Scenario_based_AN.html

TrustSec 1.99 Deployment Note: FlexAuth Order, Priority, and Failed Authentication— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/FlexAuthNote/flexauth-note.html

TrustSec Planning and Deployment Checklist— http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/TrustSec_Checklist/trustsec-199_checklist.html

Related Documents

Configuring WebAuth on the Cisco Catalyst 3750 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/sw8021x.html

Configuring WebAuth on the Cisco Catalyst 4500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/53SG/configuration/webauth.html

Configuring WebAuth on the Cisco Catalyst 6500 Series Switches— http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html

Cisco IOS Firewall authentication proxy— http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094eb0.shtml

WebAuth with Cisco Wireless LAN Controllers— http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#external-process