Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

21 December 2005

Foundry IEEE 802.1x

To configure a foundry switch in order to authenticate people using their IEEE 802.1x clients on their PCs.

You need to enable the RADIUS authentication on the switch first
BigIron(config)# aaa authentication dot1x default radius
Then you net to tell it the RADIUS server's IP and other parameters
radius-server host 209.157.22.99 auth-port 1812 acct-port 1813 default key abc123 dot1x
Now let only one user has access to ethernet port "3/2"
BigIron(config)# int e 3/2
BigIron(config-if-e100-3/2)# port security
BigIron(config-port-security-e100-3/2)# maximum 2
BigIron(config-port-security-e100-3/2)# exit
Then enable the 802.1x on the switch, and enable multi-user policy
BigIron#(config) dot1x enable
BigIron#(config-dot1x)# multi-user-policy enable
And enable flow-based ACL
BigIron#(config) interface e 3/11
BigIron#(config-if-e1000-3/11)# ip access-group flow-mode
BigIron#(config-if-e1000-3/11)#exit
Configure place holder ACL, just a fake ACL with fake IP in it to redirect the first packet of the session to the CPU

BigIron(config)# access-list 131 deny tcp host 1.1.1.1 any
BigIron(config)# access-list 131 deny udp host 1.1.1.1 any
BigIron(config)# access-list 131 deny icmp host 1.1.1.1 any
BigIron(config)# access-list 131 permit ip any any

BigIron(config) interface e 3/11
BigIron#(config-if-e1000-3/11)# ip access-group flow-mode
BigIron#(config-if-e1000-3/11)# ip access-group 131 in
BigIron#(config-if-e1000-3/11)# ip access-group 131 out
BigIron#(config-if-e1000-3/11)# exit

So, if the source MAC address of the flow is already associated with a successfully authenticated 802.1X host that has a dynamically assigned IP ACL applied to it, then that dynamically assigned IP ACL is applied to the flow. When a port is authenticated using 802.1X security, an IP ACL or MAC address filter that exists in the running-config on the Foundry device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the Foundry IP ACL or MAC address filter. For example, " ip..in", applies the specified numbered ACL to the 802.1X authenticated port in the inbound direction.

So to configure a dynamic ACL to permit incoming traffic from 10.0.0.4 then add the following command to the switch: " access-list 2 permit host 10.0.0.4", and then make the RADIUS send the following attribute value " ip.2.in"
You may do the same but with a MAC filter by applying the following command on the switch: " mac filter 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800" and let the RADIUS send this: " mac.2.in"

References:
Foundry, Configuring 802.1X Port Security
Foundry, Software-Based IP Access Control Lists (ACLs)

Tags: , , ,