In case you’ve missed the first three blogs, I’ve been showing you how to set up the CL 3.7.5 campus feature: Multi-Domain Authentication. This is a 6-part blog series and we’re officially past the half-way point.
In blogs 1-3 we covered Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass. We’ll also have guides for Wired 802.1x using Cisco ISE, Wired MAC Authentication using Cisco ISE, and Multi-Domain Authentication using Cisco ISE. So yes, we’ve got all the bases covered.
In this fourth guide, I’ll be sharing how to enable wired 802.1X authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4 Patch 8.
Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE.
Cisco ISE Configuration:
1. Add a Cumulus Switch group to Cisco ISE:
First, we are going to add a Network Device Group to Cisco ISE:
Administration > Network Resources > Network Device Groups. Click the “+Add” button
Make sure to set the “Parent Group” to “All Device Types.” The result will look like the following:
2. Adding a Cumulus Switch to Cisco ISE
Administration > Network Resources > Network Device. Click the “+Add” button:
I. Fill in the management IP address of the Cumulus Switch
Ii. Keep the “Device Profile” set to “Cisco”
Iii. Set the “Device Type” to “Cumulus-Switches”, which is the Device Type group that was set in step #1.
Under the “RADIUS Authentication Settings”, add the “Shared Secret” that will be used on the switch:
Finally, click the “Save” button in the bottom left-hand corner:
This is the view you should now see in Cisco ISE:
3. Allowed Authentication Protocol
Policy > Policy Elements > Results > Authentication > Allowed Protocols
Select “Default Network Access” and click the “Duplicate” button:
Rename this to “Cumulus Network 802.1x Access.” where will enable the specific protocols used in our 802.1x network. I am focusing on PEAP / MSCHAPv2 in this demo. Under “Allow PEAP,” I have the following settings:
To save these changes, click the “Save” button in the bottom left-hand corner:
4. Add a RADIUS Vendor Specific Attribute (VSA) for VLAN 27
Policy > Policy Elements > Results > Authorization > Authorization Profiles. Click the “+Add” button
1. Set the Name to “Cumulus – VLAN27”
2. Make sure the “Access Type” is “ACCEPT_ACCEPT,” which should be the default setting
3. Make sure the “Network Device Profile” is set to “Cisco”
Under the “Common Tasks,” set the VLAN “ID/Name” to “27”:
Click the “Save” button in the bottom left-hand corner:
5. Creating a wired 802.1x Policy Set in Cisco ISE
Policy > Policy Sets. Click the “+” button
Set the “Policy Set Name” and “Description” to “Cumulus 802.1x:
Now, click the “Conditions” box to bring up the “Conditions Studio Library.” Here, we will drag over the “Wired_802.1X” object and select the “Cumulus-Switches” group.
To select the “+” button on the editor choose the “DEVICE:Device Type”
There will be a dropdown menu after “Equals” and here you can select the “All Device Types#Cumulus-Switches” group that we created in step #1:
This will look like the following:
The overall “Conditions Studio” will now look like the following:
Click the “Use” button in the bottom right-hand corner.
Under the “Allowed Protocols / Server Sequence”, select “Cumulus Network 802.1x Access” from Step #3:
The Policy Set will now look like the following:
Click the “Save” button in the bottom right-hand corner
6. Applying the RADIUS VSA to the Policy Set
Policy > Policy Sets > “Cumulus 802.1x” > View > “Greater Than” symbol
Click on the “Greater Than” symbol under “View:”
Under “Authorization” Policy, change the “Default” from “DenyAccess” to
I. “Cumulus – VLAN27”, which was created in step #4
Click the “Save” button in the bottom right-hand corner.
Cumulus Linux wired 802.1x setup
1. Testing an interface
I am going to be using “swp12” to test wired 802.1x:
net add interface swp12
2. Enabling dot1x on swp12
Here are the following NCLU commands that I entered to configure dot1x:
net add dot1x radius server-ip 10.10.102.100 vrf mgmt
net add dot1x radius client-source-ip 192.168.255.100
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add bridge bridge ports swp12
net add interface swp12 dot1x
3. Modify the hostapd.conf file
The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”
Restart the hostapd.service after making the above changes with the following command:
sudo systemctl restart hostapd.service
Verification and Troubleshooting
Plug in an 802.1x enabled laptop into port swp12:
On my laptop, I see that the wired interface is successfully authenticated in the 192.168.27.0/24 subnet which corresponds to VLAN 27.
On the Cumulus switch, the following commands will show the status of the swp12 interface:
net show dot1x interface swp12
This lines up with the laptop output as the machine is authenticating using EAP-PEAP and is on VLAN 27
Adding the “details” command will provide more information about the connected device:
net show dot1x interface swp12 details
Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the Cisco ISE server
Cisco ISE also provides monitoring capabilities of this 802.1x connection at the following location:
Operation > RADIUS > Live Logs
Clicking on the “Details” icon will bring up granular details about the connection:
In the “Overview” dialog box, one can see the following:
I. A successful authentication
Ii. The Authentication and Authorization policies that were selected in Steps #4 + #5 in the Cisco ISE configuration section.
Iii. Cumulus – VLAN27, from Step #6 in the Cisco ISE configuration section, being sent as a RADIUS VSA from Cisco ISE to the Cumulus Switch
For further 802.1x troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.
In the next blog, I’ll cover Wired MAC Authentication using Cisco ISE. In the meantime, take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Our how-to videos are a great place to start.