CCIE Security V4 Technology Labs Section 4:

Identity Management

802.1x Authentication with Cisco ACS

Last updated: May 16, 2013

Task
The Test PC should authenticate at the switch port using 802.1x.
Use EAP-PEAP authentication from the client to ACS1.
When authenticated, the client should be placed into VLAN 192.

Configuration
ACS:
In ACS we need to create an access policy. Navigate to Access Policies>Access Services and
click the Create button.

The first configuration page we see is the General page. This is where we name the Access
Service, and set the User Selected Service Type to Network Access. The we set the Policy
structure options to Identity and Authorization.
Click the Next button.

In step 2 you define the allowed protocols. We want to allow Peap and EAP-MS-CHAPv2 as an
PEAP inner method.
Click Finish.

Now to activate the service we need to modify the Service Selection policy. ACS informs us of this
with a pop-up message. By clicking Yes, ACS will take us to the Service Selection Rules page to
configure our rules.

Select Rule-1 and click the Edit button.

A web page dialog appears to configure the Service Rules. In the conditions area ensure that there
is a check box next to Protocol and that we are matching Radius. In the *results are ensure the
service selected is eap-peap.
Click the OK button.

Now you're returned back to the Service Selection Policy page, and you should see an output that
resembles the graphic below. You need to click the Save Changes button or the changes will not
be saved. Once you save the changes click the Identity link in the left hand navigation menu.

Change the identity policy to Rule Based Result Selection. Select the OK button.

Click the Save Changes button.

On the same page click the Create button to create our selection rules.

Name the rule and make sure its enabled. Select the checkbox to define a Compound Condition.
Next in the dictionary drop down select system, and then the EapAuthentication attribute. Set the
Operator to match and then set the Value to Static, then click the Select button and find EAPMSCHAPv2. Click the Add button, then set the identity source to AD1 and click OK.

Click Save Changes.

Now navigate to
Network Resources>Network Device Groups>Network Devices and AAA Clients.

Click Create.

Now we add SW1 as an AAA client. We gave it a name here to distinguish in our configuration. The
switch has already been configured as a TACACS+ client for management purposes. We can't use
the same address either, so the TACACS+ configuration used a loopback address. In this
configuration we are using 10.0.1.11. The protocol for this configuration needs to be RADIUS.

Test PC:
On the Test PC we need to install the CA Certificate since we installed the CA Certificate on ACS
in a previous task. For this we return to the CA Server and download a CA Certificate.

Download the CA Certificate as an Base64 certificate. Note there may be some warnings about
ActiveX, and you may need to allow ActiveX to run.

Once ActiveX is allowed click Save.

Click Open

Click Open when prompted by the Open File- Security Warning.

When the certificate opens click the Install Certificate button.

Now we follow the Certificate Import wizard. Click Next.

Place the certificate in the Trusted Root Certificate Authorities Certificate store. Click Next.

Click Finish.

After a moment a Security Warning appears. Click test to install the certificate. We recirec this
warning because Windows can't validate that the certificate was issued by the inelab-CA authority.

Click OK

Next enabled the Wired Auto Config service in Windows. If this service is not enabled we don't see
the Authentication tab in the LAN Settings.

Also, its a good idea to set the service start automatically.

Now go into the Network Properties. Click the Authentication Tab and place the checkbox in the
Enable IEEE 802.1X authentication field. Next make sure *Microsoft Protected EAP (PEAP) is
selected from the drop down menu and click the Settings button.

In the Protected EAP Properties page we want to set the authentication method to *Secured
password (EAP-MSCHAP v2) drop down. By default windows will use your Windows Logon Name
and password for this authentication and we don't want this to happen right now. Click Configure

Deselect the checkbox.

And finally in the 802.1X settings we want to set the drop down to use User Authentication.

SW1:

!
! Add the Radius Server
!
ip radius source-interface Vlan10
radius-server host 10.0.1.101 auth-port 1645 acct-port 1646 key radkey
!
! Define the authentication methods and enable dot1x.
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
!
! Enable the interface for dot1x control
!
interface FastEthernet0/5
authentication port-control auto
dot1x pae authenticator
!

Verification
On the client side, you should be presented with a bubble to provide credentials. If not, shut/no shut
the interface.

Enter credentials with the domain name shown here.

Now check the switch to see authentication status.

Rack1SW1#sh dot1x int f0/5 det

Dot1x Info for FastEthernet0/5
----------------------------------PAE

= AUTHENTICATOR

PortControl

= AUTO

ControlDirection

= Both

HostMode

= SINGLE_HOST

QuietPeriod

= 60

ServerTimeout

=0

SuppTimeout

= 30

ReAuthMax

=2

MaxReq

=2

TxPeriod

= 30

Dot1x Authenticator Client List

------------------------------Supplicant

= 586d.8fce.a7cd

Session ID

= 0A00010B0000000B0B348826

Auth SM State

= AUTHENTICATED

Auth BEND SM State

= IDLE

Port Status
Rack1SW1#

Review the status in ACS.

= AUTHORIZED