| |
Using 802.1x
Port Authentication To Control Who Can Connect To Your Network
Author:
Colin Weaver Company: ITdojo, Inc. Last Revision: 1/31/05
|
|
| |
|
|
|
|
|
|
|
|
| |
Second: 802.1x authentication server (the Windows
domain controller)
There is a pretty big laundry list of things that
you need to do in order to have your back-end set up to support
this scenario. In this article I am going to set up the network
to authenticate the computer account as it exists in an Active Directory
domain. This means that a computer will only be able to get on to
the network if it belongs to the domain. Rogue computers won’t
work. Here is what I will assume you have up and running:
- A
functioning Active Directory domain (Windows 2000 or Windows Server
2003)
- A
DHCP server with a valid scope for the network(s) on which you
are working
- Certificate
Services with auto-enrollment for servers configured
-
Domain controllers enroll automatically. If your RADIUS server
is also a domain controller, you’re cool. If not, you’ve
either got to enable auto-enrollment in Group Policy or you’ve
got to manually enroll the server for a certificate. You need
a computer certificate with “Server Authentication”
as a listed purpose.
- Internet
Authentication Services (IAS) (Microsoft’s version of RADIUS).
Just make sure it’s installed at this point. We’ll
configure it in a little bit.
- A Global
or Universal group that contains the computer account(s) you wish
to authenticate.
- For
this article I created a Global group name Global
– Authorized PCs and added the computer account(s)
in my domain to the group.
-
Notice that I didn’t do anything with user accounts,
just the computer account. I’m just interested in keeping
rogue devices off the network. We can worry about users later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To
summarize:
- The computer
account (Futomaki, in this article) is a member
of the Global group named Global – Authorized PCs
- The user
account (Colin Weaver) is a member of Domain Users
(a default membership for all domain accounts).
- This is
important because you will see in a moment that we set up authentication
based on group membership (Global – Authorized PCs),
not on user group membership.
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Next
we need to configure IAS (RADIUS) for authentication. The tasks are
as follows:
1. Set up the RADIUS client – The RADIUS client
is the switch (authenticator). Sometimes people get the terminology
confused and think that the RADIUS client is the user or computer
being authenticated. It’s not… so don’t.
- To set up
the RADIUS client, follow these steps:
- Open
Internet Authentication Service
- Right-click
on RADIUS Clients and select New
RADIUS Client
- In the
New RADIUS Client window, enter a Friendly
Name and appropriate IP address for the client. Click Next.
-
The Friendly Name is just to help you
know who the client is. Call it whatever you want.
-
The Client address (IP or DNS) is the
actual IP address configured on the switch.
-
For this article I am using “Catalyst2950”
as the friendly name and 172.16.44.140 as the IP address.
- From
the Client-Vendor drop-down, choose the correct
vendor. If your vendor isn’t listed, leave the setting
as the default (RADIUS Standard)
- In the
Shared Secret field enter a secret value
(this is just a unique password that will be shared between
the RADIUS server and the switch). Enter it again in the Confirm
Shared Secret field. Remember it. You’ll need
it when you configure the switch. Click Finish.
- The
RADIUS Client is now configured. You should see the RADIUS
client listed in the detail window (see screen shots below).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
