I’ve been going through how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in a 6-part blog series and I’m happy to say we’ve made it to the last one.

If you’ve stuck with me through this series, you’d know that in blogs 1-5 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass, Wired 802.1x using Cisco ISE and Wired MAC Authentication using Cisco ISE

Now that we’re at the end of the road, this final guide will enable Multi-Domain Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE and read part four and part five of this blog series.

Over the past year, Cumulus Networks has made a concerted effort to expand the breadth and scope of the campus features within Cumulus Linux. Hot off the press in 3.7.5 is one of those features, Multi-Domain Authentication (MDA).

Classically, MDA allows for a Voice VLAN and Data VLAN to be configured independently on the same switch port for a VoIP phone and a connected PC. The team at Cumulus Linux has updated hostapd and the underlying ifupdown2 to provide a robust MDA solution.
Here’s the network diagram of the Multi-Domain Authentication design:

Cisco ISE Configuration:

First, we are going to build the necessary MDA pieces in Cisco ISE.

1. Add an Authorization Profile for a Voice VLAN

Policy > Policy Elements > Results > Authorization > Authorization Profiles. Click the “+Add” button

1. Set the Name to “Cumulus – Voice VLAN”
2. Make sure the “Access Type” is “ACCEPT_ACCEPT,” which should be the default setting
3. Make sure the “Network Device Profile” is set to “Cisco”

Scroll down and under “Advanced Attribute Settings” and select “cisco-av-pair–[1]”

In the text field enter the following:

device-traffic-class=voice

This will look like the following:

Click the “Save” button in the bottom left-hand corner:

2. Modify an existing Policy Set

Policy > Policy Sets > “Cumulus Wired MAC Auth” > View > “Greater Than” symbol

Click on the “Greater Than” symbol under “View:”

The “Cumulus Wired MAC Auth” policy was created in the Wired MAC Authentication blog post.

Under “Authorization Policy,” change the “Default” from the Wired MAC Authentication blog post of “Cumulus – VLAN36” to “Cumulus – Voice VLAN”

Click “Save” in the bottom right-hand corner.

These are the only two steps that are required for MDA with Cisco ISE.

Cumulus Linux MDA setup:

I factory defaulted the switch that I had been using in the Wired 802.1X and Wired MAC Authentication blog posts. This next section will outline all of the steps necessary to build MDA on a brand new switch.

1. Testing an interface

I am going to be using “swp12” to test MDA

net add interface swp12
net commit

2. Enabling dot1x, MAB, and a Voice VLAN on swp12

Here are the following NCLU commands that I entered:

net add dot1x radius server-ip 10.10.102.252 vrf mgmt
net add dot1x radius client-source-ip 192.168.255.100
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add bridge bridge ports swp12
net add interface swp12 dot1x mab
net add interface swp12 dot1x voice-enable vlan 36
net commit

3. Modify the hostapd.conf file

The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”

radius_das_require_event_timestamp=0
radius_das_require_message_authenticator=0

Restart the hostapd.service after making the above changes with the following command:

sudo systemctl restart hostapd.service

Let’s take a look under the hood to see what this new MDA configuration looks like in hostapd. By examining the /etc/hostapd.conf file, we see the following:

The Cumulus Linux MDA feature allows for two options:

Option 1 – A “Voice Interface” is configured and the RADIUS server provides the Dynamic Voice VLAN in the same manner that we have configured a Dynamic VLAN.

Option 2 – A “Voice Interface” is configured and the VLAN is locally defined on the switch. This locally defined VLAN appears as the value after the colon on the “voice_interfaces” stanza, as in the above.

In a large deployment, “Option 2” is the best solution. First, if you have different Voice VLANs on different switches, this will allow you to reference that locally defined Voice VLAN no matter the switch. Second, from an ISE perspective, Option 2 allows for a single Authorization Policy for the entire enterprise, providing a clean configuration.

Verification and Troubleshooting

First, we will plug in a wired VoIP phone into port swp12. Within 3CX, the SIP VoIP server in this test, the phone has come up and registered with the system:

Within 3CX, we see that the Avaya Phone is registered with a 192.168.36.x address – which is on the Voice VLAN. Let’s take a look under the hood to see what is happening on the switch and within ISE.

On the Cumulus switch, the following commands will show the status of dot1x:

The output shows that we have MAB, Voice, and “Interfaces” / 802.1x running on swp12.

Next, run the following command to show the status of the swp12 interface:

net show dot1x interface swp12

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp12 details

The “Server Flags” are reporting “[MAB]”, which is the abbreviation for MAC Authentication Bypass.

Cisco ISE also provides monitoring capabilities of this MAC Authentication at the following location:

Operation > RADIUS > Live Logs

Clicking on the “Details” icon will bring up granular details about the connection:

1. Event – This is a successful MAC Authentication
2. Username + Endpoint ID – This is the MAC Address of the phone that was entered in the “Campus design feature set-up: Part 5” blog post.
3. Authorization Result – This service request is sending the “Cumulus – Voice VLAN” down to the Cumulus Switch. This Enforcement Profile was created earlier in this blog post.

Further down in this detailed window, one sees the following:

1. Endpoint ID + Calling Station ID – This is the MAC Address of the phone that was entered in the “Campus design feature set-up: Part 5” blog post.
2. We are using the “Internal Endpoints” Identity Store that was set-up in the “Campus design feature set-up: Part 5” blog post.
3. The Authentication Method for this connection is “mab,” which stands for MAC Authentication Bypass.

Now, we are going to test wired 802.1x by plugging a laptop into the PC port on the Avaya Phone:

The device was placed on the 192.168.27.x subnet, which corresponds to VLAN 27, from the “Campus design feature set-up: Part 4” blog post. We are using the exact same configuration from that blog post.

On the Cumulus Switch, run the following command to see the updated interface status:

net show dot1x interface swp12

The Avaya phone is still authenticating with MAC Authentication Bypass and the laptop is authenticating using EAP-PEAP and on VLAN 27.

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp12 details

Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the Cisco ISE server

Cisco ISE also provides a view of the 802.1x connection:

Operation > RADIUS > Live Logs

Clicking on the “Details” icon will bring up the following:

1. A successful authentication
2. The Authentication and Authorization policies that were selected in the “Campus design feature set-up: Part 4” blog post.
3. Cumulus – VLAN27 from the “Campus design feature set-up: Part 4” blog post.

Multi-Domain Authentication allows for the successful authentication of a laptop on the PC port of a VoIP Phone, with different VLANs and different domains (MAB + 802.1x) on the same physical port.

For further MDA troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.

Thanks for letting me go through all the different ways to set up the CL 3.7.5 campus feature: Multi-Domain Authentication. If you’re still hungry to learn more, take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Our how-to videos are a great place to start.