I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
• When the Permissions window is
displayed, select the “Grant
remote access permission”
option and select “Next”. This
will grant access based on group
membership.
• When the User Profile window
appears, select the “Edit Profile”
button.
Figure 25. Granting Permissions and User Profile Screens
The Edit Dial-In Profile screen will be displayed and there will be several tabs displayed.
• On the Edit Dial-In Profile screen, select the
“Authentication” tab and check the “Extensible
Authentication Protocol” option.
• From the “… EAP type” drop-down box, select “MD5-
Challenge” option to support the Foundry devices.
Uncheck all other authentication types listed under the
drop down-box.
Figure 26. Authentication Tab Settings
• On the Edit Dial-In Profile screen, select the
“Encryption” tab and check the “Strongest”
encryption option. This step is not required for EAP-
MD5, but is performed as a safeguard to eliminate
weaker encryption options is used in the future.
Figure 27. Encryption Tab Settings
March 2003
©2003 Foundry Networks, Inc.
21
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
• On the Edit Dial-In Profile screen, select the “IP” tab and check “Client may request an IP address”
to support DHCP.
• On the Edit Dial-In Profile screen, select the
“Advanced” tab. The current default parameters
returned to the Foundry device should be Service-
Type and Framed-Protocol.
• Select the “Add” button to add the additional three
RADIUS VLAN attributes required for 802.1X
Dynamic VLAN Assignment.
Figure 28. Connection Attributes Screen
• The RADIUS Attribute screen is displayed.
From this list, three RADIUS attributes will be
added:
o
Tunnel-Medium-Type
o
Tunnel-Pvt-Group-ID
o
Tunnel-Type
Figure 29. RADIUS Attribute Screen
• Select Tunnel-Medium-Type and click on the
“ Add” button.
• On the Multivalued Attribute Information screen,
click on the “Add” button.
• The Enumerable Attribute Information screen is
displayed. Select the “802” value from the Attribute
Value drop down box.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen (Figure 29)
Figure 30. 802 Attribute Setting for Tunnel-Medium-Type
March 2003
©2003 Foundry Networks, Inc.
22
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
• Select Tunnel-Pvt-Group-ID and click on the
“Add” button.
• On the Multivalued Attribute Information screen,
click on the “Add” button.
• The Attribute Information screen is displayed. Enter
the correct VLAN ID or Name for this policy. Users
belonging to the VLAN Group specified in this policy
will be assigned to the VLAN ID specified.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen (Figure 29)
Figure 31. VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID
• Select Tunnel-Type and click on the “ Add” button.
• On the Multivalued Attribute Information screen,
click on the “Add” button.
• The Enumerable Attribute Information screen is
displayed. Select the Virtual LANs (VLAN) option
from the Attribute Value drop down box.
• Select “OK” to accept the value.
• Return to the RADIUS Attribute Screen (Figure 29)
and select the “Close” button.
Figure 32. VLAN Attribute Setting for Tunnel-Type
The completed Advanced Tab should resemble the
illustration in Figure 33.
Repeat this step, Configuring Remote Access Policies,
for each VLAN Group defined in the Active Directory.
Remember to place the most general Remote Access
Policies at the bottom of the list and the most specific at
the top of the list.
Figure
33.
Completed
Advanced
Tab
March 2003
©2003 Foundry Networks, Inc.
23
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Creating Port-Based VLANs
Port-Based VLANs must be created on each Foundry device participating in the 802.1X Dynamic VLAN Assignment
topology. 802.1X Dynamic VLAN Assignment is only supported on port-based VLANs. This feature cannot be
used to place an 802.1X-enabled port into a Layer 3 protocol VLAN.
Step 1: Create the necessary Port-Based VLANs on each Foundry device. The VLAN IDs or Names must match
the Tunnel-Pvt-Group-ID used in the Remote Access Policies created in the previous step.
To create the port-based VLAN: Syntax: vlan by port
To add ports: Syntax: untagged ethernet | pos
[to
| ethernet
]
To turn on Spanning Tree Protocol: Syntax: [no] spanning-tree
EXAMPLE
This example creates a port-based VLAN with the VLAN ID of 10 and assigns an untagged uplink port E7/24 to
the VLAN. Users matching the VLAN Group ID of 10 will be automatically added to this VLAN using 802.1X
Dynamic VLAN Assignment.
Dept_Switch-1(config)# vlan 10 by port
Dept_Switch-1(config-vlan-10)# untagged eth 7/24
Dept_Switch-1(config-vlan-10)# spanning-tree
Dept_Switch-1(config-vlan-10)# exit
Dept_Switch-1(config)# write memory
Step 2: Repeat this Step 1 for each Port-Based VLAN that needs to be created.
Testing The Dynamic VLAN Feature
In order to successfully test the 802.1X Dynamic VLAN Assignment feature, the following components must be
fully installed and configured according to the procedures outlined in this White Paper:
• IAS RADIUS Server
• Active Directory Server
• Foundry 802.1X capable device with version 07.6.03 code or later
• 802.1X compliant workstation or file server
Make sure the order of the Remote Access Policies is correct. The VLAN Group Policies should be listed ahead of
any other general policies – such as the Day-And-Time Restriction Policy.
Step 1: To ensure that Microsoft’s IAS service recognizes all the new Remote Access Policies and changes, stop
and start the IAS service. This can be done from the Internet Authentication Service management screen by
right clicking on the Internet Authentication Service (local) option and selecting Stop Service to stop the
IAS service and Start Service to start the IAS service.
March 2003
©2003 Foundry Networks, Inc.
24
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Step 2: Using a workstation that is configured properly for 802.1X client support, connect to the Foundry
device’s 802.1X enabled port.
Step 3. Follow the steps outlined in the section, “
Testing The Client Connection” to authenticate the client. Use
one of the accounts that were added to a valid VLAN Group created on the Active Directory server.
Step 4. Once the client is authenticated, check the Foundry device to make sure the client’s port is added to
the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN
assignment:
Syntax: show run
Displays the dynamically assigned ports in each Port-Based VLAN.
Syntax: show interface
Displays detailed port information showing the original Layer 2 VLAN the
port belonged to before the automatic assignment and the VLAN
membership after the automatic assignment.
EXAMPLE – Show Run Command
This example shows the results of the “show run” command. An 802.1X client was authenticated using a valid
Windows account on the Active Directory server that is a member of VLAN Group 5. . From the “show run”
illustration, the 802.1X client is connected to port Ethernet 22. After successful authentication, port Ethernet 22
is automatically assigned to Port-Based VLAN 5 as an untagged port.
SW-telnet@FI4802-PREM#show run
ver 07.6.03B2T51
!
dot1x-enable
enable ethe 20 to 29
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 by port
!
vlan 20 by port
!
vlan 5 by port
untagged ethe 22
EXAMPLE – Show Interface Command
This example shows the dynamic VLAN information for port Ethernet 22 after the automatic VLAN assignment
was made. Note the original VLAN ID was 1 and the new dot1x-RADIUS assigned VLAN is 5.
SW-telnet@FI4802-PREM#sho int e22
FastEthernet22 is up, line protocol is up
Hardware is FastEthernet, address is 00e0.8041.a315 (bia 00e0.8041.a315)
Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx
Member of L2 VLAN ID 5 (dot1x-RADIUS assigned), original L2 VLAN ID is 1,
port is untagged, port state is FORWARDING
STP configured to ON, priority is level0, flow control enabled
mirror disabled, monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
:
:
:
:
:
:
:
:
March 2003
©2003 Foundry Networks, Inc.
25
Version 1.0.0
All Rights Reserved.
I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
Foundry Networks, Inc.
Headquarters
2100 Gold Street
P.O. Box 649100
San Jose, CA 95164-9100
U.S. and Canada Toll-free: (888) TURBOLAN
Direct telephone: +1 408.586.1700
Fax: 1-408-586-1900
Email: info@foundrynet.com
Web: http://www.foundrynet.com
Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the “Iron” family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other
trademarks are the properties of their respective owners.
© 2003 Foundry Networks, Inc. All Rights Reserved.
March 2003
©2003 Foundry Networks, Inc.
26
Version 1.0.0
All Rights Reserved.
Document Outline - Written By: Philip Kwan
- March 2003 Summary
- Contents
- Disclaimer
- Nomenclature
- Related Publications
- Trademarks
- 802.1X Port Authentication Basics
- Microsoft’s IAS Server
- Sample IAS Installation
- IAS Installation Procedure
- Configuring 802.1X Port Authentication
- Other 802.1X Commands
- Multiple Host Situations
- Configuring Windows Clients
- Testing The Client Connection
- Additional Tips
- Other 802.1X Clients Tested
- Configuring Foundry’s Dynamic VLAN Feature
- Creating Port-Based VLANs
- Testing The Dynamic VLAN Feature
Chia sẻ với bạn bè của bạn: |