Making a Test Bed
In setting up the test bed for a series of NAC reviews, I ran into some interesting issues some of which I want to lay out here and some I will explore more in depth later (at some point, I...
July 6, 2007
In setting up the test bed for a series of NAC reviews, I ran into some interesting issues some of which I want to lay out here and some I will explore more in depth later (at some point, I have to get some testing done). So in preparation for upcoming tests, I created my test bed. My goal is always to make sure that the test bed works fully and then stabilize it. From that point, I should be able to insert different products with minimal change to the infrastructure other than cabling and integration. This lets me swap products in and out of the test bed quickly. I use a mix of products to help out like Ghost to make images, VMWare ESX Server, and big honking hard drives to store this stuff.
NAC Test Bed Click to enlarge in another window |
So, here is what I am building (see NAC Test Bed, right). Currently, access control is based on physical location and separated by VLAN???s. VLAN???s are a fine engineering tool and while I don???t advocate VLANs as a security technology, if your switches are current and you have complete control of your infrastructure, then properly deployed VLANs are acceptable layer 2 segmentation. Each location is on a separate VLAN and traffic moves from one subnet to another through a router. In the real world, I might replace that router with a firewall or some other in-line device, for my NAC testbed, it doesn???t matter.
The details of this test bed are:
I am using Microsoft Windows 2003 Server SP2, fully patched as an Active Directory in native W3K mode. Installed are IAS, Certificate Services, DHCP, DNS, and IIS. Normally, I would move some of these services off the AD machine and set-up some redundancy.
I am using Symantec???s AntiVirus Enterprise as an AV package since it is widely deployed. Frankly, any AV package that is widely supported should be acceptable in a test bed.
The Internal Network access switch is a Cisco 3750
The router is a Cisco 2800 running IOS 12.4.
The Distribution Switch is Cisco 3750G running IOS 12.2(25)
The Conference Room access switch is an HP ProCurve 2650-PWR running H.10.38
Client hosts are a mix of Windows XP computers, MacOSX, and Linux.
The port and VLAN configuration is static at the moment. If you connect to a port on the conference switch, you are in VLAN 204. If I want to move a port to a different VLAN, I have to reconfigure the switch. If a host doesn???t authenticate via 802.1X, then they are put into the guest VLAN, otherwise, they are moved to their associated access VLAN defined for the switch port. 802.1X is configured using MD5 EAP type as well EAP-TLS.
I want something more dynamic. I know that for the conference room, I can???t expect users to have an 802.1X supplicant configured to my parameters, so I have configured the switch to put a user on a "guest VLAN" with a separate subnet. I want any port in the network to be available to any VLAN based on a users??? condition.
Part of what I want to test in the NAC products are the various enforcement options like VLAN steering, DHCP control, ARP management (aka ARP poisoning), in-line blocking, etc. The reasons are two fold. First, I want to see what the integration requires and secondly, I there may be cases where you need to use multiple enforcement methods. A switch may not support 802.1X or perhaps you can???t enforce client configuration, so 802.1X is not an option. The switch configurations for the Cisco and HP switches are at the end of this blog.
StumblesThe basic configuration is pretty simple. Only three things tripped me up. In Windows 2003, there is an option in the Dial-In tab, "Control access through Remote Access Policy" when Active Directory is installed in Windows 2000 Mixed Mode, the default. In order to get RADIUS accept response, the user has to have remote access permissions. By default, new users in Mixed mode don???t have remote access permissions, so that needs to be changed. But using a remote access policy for 802.1X, I could grant remote access permission but that option is grayed out while in Mixed mode. I had to update my Windows 2003 AD to Native mode. Once I did that, any new users had the remote access policy option checked.
Now in IAS, I defined the policy so that only a specific group was granted access and by default, all others were denied access. That's much easier to manage than granting individual users remote access settings (you can still do to override the remote access policy setting per user).The other thing that snagged me, and this happens more than I care to admit. When I configured 802.1X on the Cisco switches, I cut my self off from the telnet console. I really need a serial console. Anyway, I had to add a user name to my IOS config so that I could login via telnet.
Finally, I tested my configuration using a single port while telneting to the switch from my AD server. Once I got the configuration set, all I had to do was apply the "switchport mode access" and "dot1x port-control auto" commands to each interface. So I went into configure terminal, entered a range "int range g1/0/10 ??? 32" and applied those two commands and was instantly cut off. Duh. The AD server is connected to g1/0/10 and of course, it???s not setup for 802.1X. So I connect to the console and I removed the "switchport mode access" line, which in turn appears to remove the dot1x commands on that interface. Don???t be fooled! Doing that only hides the dot1x commands and they are still active. I had to re-enable the switchport line and manually remove the dot1x commands, then remove the swtichport line. Just a little bit of IOS weirdness.
Now I just have to define the policies I want to enforce and I am off the races. Until next time.
Config linesThese are just the configuration lines relevant to 802.1X and RADIUS. Microsofts 802.1Xguide for Windows XP is a helpful resource for the client and server side configurations.
The IOS commands and a reference to the documentation page for IOS 12.2(25). Versions earlier than 12.1 have different commands.First we define a new AAA modelaaa new-modelaaa authentication dot1x default group radius
Then we point to our RADIUS server. radius-server host 192.168.201.5 auth-port 1645 acct-port 1646 key 123456789radius-server source-ports 1645-1646
Then we configure the interface.
interface GigabitEthernet1/0/33 switchport access vlan 202 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast
The HP Procurve Switch commands based on this manual.First we configure the port authentication systemaaa authentication port-access eap-radiusThen we define the RADIUS serverradius-server host 192.168.201.5 key 123456789
Then we apply 802.1X authentication to the ports and activate.aaa port-access authenticator 2-50aaa port-access authenticator active
About the Author
You May Also Like