Monday, August 24, 2009

BCMSN Lab - Radius Server

Question:
CiscoSims is a small shipping company that has an existing enterprise network comprised of 2 switches, DSWI and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, It Is necessary to restrict access to VLAN 20 in the following manner:



- users connecting to ASW1's port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:

- Radius server host: 172. 120.39.46
- Radius key: rad123

- Authentication should be Implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to In the address range of 172.120.40.0/24.
- Packets from devices In the address range of 172.120.40.0/24 should be passed on VLAN 20.
- Packets from devices In any other address range should be dropped on VLAN 20.
- Filtering should be Implemented as close to the server farm as possible.

The Radius server and application servers will be installed at a future date. You have been tasked with Implementing the above access control as a pre-condition to Installing the servers. You must use the available IOS switch features.

===========
Solution:
===========

ASW1#conf t

The question states that Authentication should be Implemented as close to the host device as possible. ASW1 is close to hosts, so we'll configure authentication on it.
The fist step to configuring the authenticator is to provide it with the address and key of the RADIUS server that will act as an authentication server. Enable Radius server authentication on ASW1 switch, and enter ip address and shared key of the radius server:-

ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123

The next step is to enable the 802.1X port authentication process. This step makes the switch an authenticator, allows it to send the EAP messages to the supplicant, proxy the information to the authentication (RADIUS) server configured in previous step, and act on the messages received from those servers to authorize ports. To configure the switch to act as an authenticator, use the following command:-

ASW1(config)#aaa authentication dot1x default group radius

Now we need to Globally enable 802.1x port-based authentication:-

ASW1(config)#dot1x system-auth-control

Now we can see that from 'sh run' command that Fa0/1 is access port for Vlan20, so we'll configure it.


ASW1(config)#int fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-If)#switchport access vlan 20

Enable 802.1X authentication on the interface:-

ASW1(config-If)#dot1x port-control auto

After a port is configured in auto mode, no clients connected to that port will be allowed to pass user traffic until the port has been authorized by the authorization server.

ASW1(conflg-If)#end

ASW1#copy run start

The question says that filtering should be Implemented as close to the server farm as possible, so we'll configure filtering on DSW1 switch.
Create a named-standard access-list which only permit network 172.120.40.0 and deny any other address range(implicit deny):-

DSW1#conf t
DSW1(config)#ip access-list standard 10
DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-std-nacl)#exit

To make sure that packets from devices in the address range of 172.120.40.0/24 passed on VLAN 20 and packets from devices in any other address range dropped on vlan20, create a vlan access-map:-

DSW1(config)#vlan access-map ciscosims 10
DSW1(config-access-map)#match ip address 10 (10 is the access-list number)
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit

Apply vlan access-map to vlan 20:-

DSW1(config)#vlan filter ciscosims vlan-list 20
DSW1(config)#end

DSW1#copy run start

=================================================================

19 comments:

  1. i have in creating accesslist in vlan,suppose for this range--> permit 172.120.40.0 0.0.0.255
    i'm allowing this subnet to access but adding one more accesslist--> permit 10.0.0.0 0.0.0.255 for this subnet i want to blog them,
    for this how i have create vlan access-map ?

    ReplyDelete
  2. Why is the configuration on ASW1 done only on FA 0/1 and not the other ports ??

    ReplyDelete
  3. Hey,
    Fa 0/1 is access port for vlan 20, so we'll configure it.
    You can see this by 'sh run' command on ASW1.
    I am adding an extract from running configuration.

    ReplyDelete
  4. hi, doesn't we need to add
    ASW1(config)#dot1x system-auth-control command after this command
    "ASW1(config)#aaa authentication dot1x default group radius"

    ReplyDelete
  5. @ Fazleabbas

    Yes! We need to add this command. Thanks for the notification. I have corrected it now.

    ReplyDelete
  6. DSW1#conf t
    DSW1(config)#ip access-list standard 10


    Why u use 10 ?? why not other number

    ReplyDelete
  7. @ above,

    Not any specific reason.
    You can use any number from 1 to 99 and 1300-1999.

    ReplyDelete
  8. hi

    in testinside there is anther access-map 20 is also define and action is taken dropp and also apply to vlan-list 20..
    Why can anyone explain it ...is it nesassry
    awais_afridi102@yahoo.com

    ReplyDelete
  9. thanks for



    Not any specific reason.
    You can use any number from 1 to 99 and 1300-1999.

    ReplyDelete
  10. Can any one explain the command

    vlan access-map ciscosims 10
    why Ciscosims is gievn?

    ReplyDelete
  11. Hi,

    You need to attach a name to vlan access-map command. The name can be anything, it doesn't matter.

    ReplyDelete
  12. @ above,

    That's right !

    You can use any name of your choice.

    ..

    ReplyDelete
  13. Hi Guys/CiscoSims,

    Do we need to add the following commands to the DSW1 switch?

    DSW1(config)#vlan access-map ciscosims 20
    DSW1(config-access-map)#action drop
    DSW1(config-access-map)#exit

    ReplyDelete
  14. I think drop is implicit at the end if you don't do something to forward all...sort of like an ACL

    ReplyDelete
  15. Hello CiscoSims,

    I just need to know, when we permit ip 172.120.40.0 0.0.0.255. Suppose if IP comes 172.120.40.0/19 then in this case what i need to do. Should i permit same ip or same wildcard. So i need to do something else?? Pls clear this thing as soon as possible?? because tomorrow i am giving exam. Pls clear this thing i am bit confused.

    ReplyDelete
  16. 1. Yes, drop is implicit. We don't need to add "action drop"

    2. @ sufi, You will enter the ip addresses which will be given to you in the exam. The actual exam doesn't contain the ip add. given above.

    ..

    ReplyDelete
  17. You don't really need the "10" in "DSW1(config)#vlan access-map ciscosims 10" do you? I mean, that just specifies a sequence # in the access-map right?

    ReplyDelete
  18. why not use standart access-list ?
    access-list 10 permit 172.120.40.0 0.0.0.255

    ReplyDelete
  19. do i require to add drop command or not ?????
    if i give will the marks will be deducted ha ????? pls guide me on this ...

    ReplyDelete

Note: Only a member of this blog may post a comment.