Security

Reply
Contributor II
Posts: 90
Registered: ‎12-06-2014

802.1x wired recommendations

Im setting up 802.1x for wirless and wired. Here are the requirements:

Employee SSID: Domain credentials and Machine account = yes = allow on the network

BYOD = check endpoint repository if mac = Known = allow on the network

Here is what I setup for that, its working but need confirmation it looks good and that machine authenticated is setup correctly:

 

I pretty much want to do the same thing for wired. Can I setup the above with a 802.1x wired service? Any Gotchas or recommendations? How are Vlans assigned? In a wired scenario, is it common to require all windows devices to have dot1x enabled (Wired Autoconfig)? If enabling wired autoconfig, will that cfause issues when they take their laptops to outside networks not requiring 802.1x.

Wired and wirelss 802.1x, is there a specific order they need to be in?

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: 802.1x wired recommendations

What switch are you using ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 802.1x wired recommendations

Cisco switches. We have already implemented aruba cisco switch 802 settings.
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: 802.1x wired recommendations

In terms of implementation it should be similar to Aruba switch but instead of returning an Aruba role or VLAN , just create a VLAN enforcement profile and then add the VLAN you would like to test.

If you want to allow non-802.1x devices to authenticate you can use Cisco MAB Or use fail open VLAN
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 369
Registered: ‎01-14-2010

Re: 802.1x wired recommendations

Hi Kong_Down,

 

Here's a list of some of your questions:

 

1. Will enabling 802.1X on the wired cause an issue when they're not in the office.

 

No, if it's configured correctly. Make sure that "Fallback to unauthorized network access" is checked under the Authentication tab for the wired interface. If not, then yes, it will cause an issue.

 

2. Sending VLANs on a Cisco

 

Go to Configuration > Enforcement > Profiles > Add > Template > VLAN Enforcement

 

The Tunnel-Private-Group-Id will be the VLAN the user will receive on a switch. You can also send a VLAN ID / name on a Cisco switch to scale the solution.

 

Hope it helps!

 

-Mike

Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 802.1x wired recommendations

Hey guys, I was successful on the VLAN template for 802.1x wired users but not the non-802.1x users. My plan was to enable enpoint repository as authenticator and if the MAC = Known then allow. That doesnt seem to work. Not sure what MAB is. Instructions or recommendations? thxs much

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: 802.1x wired recommendations

Are you seeing requests come in?



Do you have "Allow All MAC Auth" as your authnetication method?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: 802.1x wired recommendations

You will need MAB configured on the cisco switch .

 

MAB is Mac Auth Bypass and allows you to authenticate users when 802.1x fails then it will do Mac authentication , you can define the order in the interface :

interface <INTERFACE-NAME>
switchport mode access
authentication event no-response action authorize vlan <GUEST-VLANID>
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
spanning-tree portfast

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: 802.1x wired recommendations

So MAB setting are all setup correctly. Im finally seeing logs. Again, 802.1x works fine. Its the non-802.1x clients im trying to configure. The non-802.1x client failed attempts are showing as "Failed to classify service" see my attached setting. Let me know what I need to change. Thsi service is ahndling both 802.1x and non-802.1x request on wired. Maybe I need to setup a seperate non-802.1x service? 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: 802.1x wired recommendations

You need two different services. One for MAC-auth and one for 802.1X.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: