mattscott.org Here we go again!

9Aug/082

802.1x Certificate-based Computer Authentication in a Windows Domain

I have a customer that has felt it necessary to secure the network ports in their conference rooms. The goal was to make it impossible for untrusted computers to access the LAN and if possible dump them on to a VLAN that would allow them only Internet access. Rather than detail the whole project I'll just provide a couple of links that helped me out and explain a couple of difficulties I faced. I am still working on the guest vlan portion of the project and will update the config below when that portion of the project is complete.

Switch Configuration

We used a Dell PowerConnect 6248 switch in this case. During R&D for this project I also made 802.1x authentication work on a PowerConnect 6024 and a Cisco Catalyst 2950 series. I actually made things work with the Catalyst first by following this article http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html. The important bits of the config for the PowerConnect 6248 are as follows:


*snip*
! This enables dot1x globally
dot1x system-auth-control
! This sets up the radius server. 192.168.1.5 is a Windows Server 2003 server running IAS
aaa authentication dot1x default radius
radius-server key "abcdefg"
radius-server host 192.168.1.5
exit
!
! This port requires authorization. This is the default.
interface ethernet 1/g1
exit
!
!This port is forced into an authorized state.
interface ethernet 1/g2
dot1x port-control force-authorized
exit

Windows Client and Server Configuration

To configure the clients and server I used this article: http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm.

This article pretty much got me where I needed to be but here's a couple of things to note.

  1. You have to make the registry change found on Page 13. There doesn't seem to be any way around it. If you find one, let me know. The plan is to make the change in a logon script.
  2. How your computer names are stored in the certificate issued to the clients is important. The default settings had been changed on the system in this case and this caused some problems. I successfully used a Subject Name Format of None and checked DNS name. I also used a subject name format of Fully Distinguished Name with nothing checked underneath. I do not fully understand these options so YMMV.

Keeping that in mind you shouldn't have any problems implementing this using the two articles that I linked to. I may eventually get really motivated and take screen shots.

UPDATE!

I spent manyl hours over the last couple of weeks trying to get this to work well in production.  We were seeing very odd behavior.  At times ports that had been moved to the guest vlan would mysteriously be moved vlan 1 once the host was disconnected and would stay their for long periods of time.  Vlan 1 does not normally contain any ports with this configuration.  At once point we had two ports stay in vlan for more than eighteen hours.  It was weird to say the least.

We tried my Catalyst 2950 in the customer's production environment and it worked perfectly and exactly as I would expect it to.  We finally gave up on the PowerConnect and my customer decided to just buy some used 24 port Catalyst 2950s.

What we ended up doing was creating a trunk port on the PowerConnect 6248 that supplied both the guest and trusted vlans to a trunk port on the catalyst.  Since my Catalyst is not layer 3 capable the PowerConnect still handled routing, DHCP relay, and ACLs.  The Catalyst was just responsible for 802.1x.

When I get my switch back I'll post the important bits of the config.

  • You truly are the greatest mind of our time.

  • The Greatest Mind of Our Time

    I just wanted to say that I’m disappointed with the freshness of the content on this blog. I expected more from the (supposed) Greatest Mind of Our Time.