WP 8021x Authentication Active Directory

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R

WHITE PAPER: 802.1X PORT AUTHENTICATION
WITH MICROSOFTS ACTIVE DIRECTORY

Written By: Philip Kwan
March 2003
March 2003 2003 Foundry Networks, Inc.
Version 1.0.0 All Rights Reserved.
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Summary
Microsofts Active Directory service is one of the most popular authentication directories in use today. This white
paper describes Foundrys 802.1X Port Authentication feature and how it works with Microsofts IAS server to
create a seamless authentication environment for Active Directory installations.

Contents

NOMENCLATURE.................................................................................................................................................................. 3
RELATED PUBLICATIONS................................................................................................................................................... 3
TRADEMARKS ........................................................................................................................................................................ 3
802.1X PORT AUTHENTICATION BASICS........................................................................................................................ 4
MICROSOFTS IAS SERVER................................................................................................................................................ 5
SAMPLE IAS INSTALLATION .................................................................................................................................................... 5
IAS INSTALLATION PROCEDURE .............................................................................................................................................. 6
CONFIGURING 802.1X PORT AUTHENTICATION....................................................................................................... 13
OTHER 802.1X COMMANDS................................................................................................................................................... 14
MULTIPLE HOST SITUATIONS................................................................................................................................................. 14
CONFIGURING WINDOWS CLIENTS.............................................................................................................................. 15
TESTING THE CLIENT CONNECTION ....................................................................................................................................... 16
ADDITIONAL TIPS................................................................................................................................................................... 17
OTHER 802.1X CLIENTS TESTED............................................................................................................................................ 17
CONFIGURING FOUNDRYS DYNAMIC VLAN FEATURE......................................................................................... 18
CONFIGURING VLAN GROUPS............................................................................................................................................... 19
CONFIGURING REMOTE ACCESS POLICIES.............................................................................................................................. 19
CREATING PORT-BASED VLANS..................................................................................................................................... 24
TESTING THE DYNAMIC VLAN FEATURE................................................................................................................... 24

Disclaimer
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting Microsofts
IAS and Active Directory services. Refer to Microsoft Corporation for complete installation guidelines and product
information regarding Microsoft components mentioned in this white paper.

Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting
Meetinghouses AEGIS Windows and MAC OS clients. Refer to Meetinghouse Data Communications for complete
installation guidelines and product information regarding AEGIS 802.1X clients mentioned in this white paper.

March 2003 2003 Foundry Networks, Inc. 2
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Nomenclature
This guide uses the following typographical conventions to show information:
Italic highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold highlights a CLI command.
Bold Italic highlights a term that is being defined.
Underline highlights a link on the Web management interface.
Capitals highlights field names and buttons that appear in the Web management interface.

NOTE: A note emphasizes an important fact or calls your attention to a dependency.

Related Publications
The following Foundry Networks documents supplement the information in this guide.

Foundry Security Guide - provides procedures for securing management access to Foundry devices and for
protecting against Denial of Service (DoS) attacks.

Foundry Enterprise Configuration and Management Guide - provides configuration information for enterprise
routing protocols including IP, RIP, IP multicast, OSPF, BGP4, VRRP and VRRPE.

Foundry Switch and Router Command Line Interface Reference - provides a list and syntax information for all the
Layer 2 Switch and Layer 3 Switch CLI commands.

Trademarks
Microsoft Windows 2000, Microsoft Windows XP, Microsoft Internet Authentication Service, and Microsoft Active
Directory are trademarks or registered trademarks of Microsoft Corporation.

AEGIS Client is a trademark or registered trademark of Meetinghouse Data Communications.

Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries.

All other trademarks are the properties of their respective owners.

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


802.1X Port Authentication Basics
Foundrys implementation of 802.1X Port Authentication is based on a series of standards:

RFC 2284 PPP Extensible Authentication Protocol (EAP)
RFC 2865 Remote Authentication Dial In User Service (RADIUS)
RFC 2869 RADIUS Extensions

There are three components that are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authenticator, Authentication Server.

Client/Supplicant The client, or supplicant, is the device that needs authenticating to the network.
It supplies the username and password information to the Authenticator. The
client uses the Extensible Authentication Protocol (EAP) to talk to the
Authenticator.

Authenticator The Authenticator is the Foundry device performing the 802.1X port security and
it controls access to the network. The Authenticator receives the username and
password information from the client, passes it onto the Authentication Server,
and performs the necessary block or permit action based on the results from the
Authentication Server. The Authenticator uses RADIUS to speak to the
Authentication Server.

Authentication Server The Authentication Server validates the username and password information
from the Client and specifies whether or not access is granted. The
Authentication Server may also specify optional parameters to control things
such as VLAN access. Foundrys 802.1X implementation currently supports
standard RADIUS Authentication Servers.

802.1X Clients use the Extensible
Authentication Protocol (EAP) and EAP Over
LAN (EAPOL) to securely encapsulate the
communications between the Client and
Authenticator. The Authenticator uses
RADIUS to communicate with the
Authentication Server.

Before the Client is authenticated, the
network port is set to the uncontrolled
(unauthorized) state and only allows EAPOL
authentication traffic between the Client and
the Authentication Server. All other normal
data traffic is blocked. When the client
authentication is complete and access is
granted, the controlled port is set in the
authorized state to grant full network
access.

Figure 1. Port Authentication Process
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


If a non-802.1X client is connected to an 802.1X protected port, the Client will not recognize the EAPOL polling
traffic from the Authenticator and authentication will fail. The client will not be granted network access. If an
802.1X EAP-MD5 enabled client is connected to a non-802.1X port, it will attempt to send an EAP start frame to
the Foundry device. When the device doesnt respond to the EAP packet, the Client considers the port to be
authorized and starts sending normal traffic.

By default, Foundry devices place all ports in the authorized state, allowing full network access. When 802.1 Port
Authentication security is implemented, all 802.1X enabled ports are switched to the unauthorized state to
prevent full network access. Foundry devices support the EAP-MD5 standard between the client and itself.

NOTE: For more information on Foundrys implementation of 802.1X, please refer to the following resources:
802.1X White Paper: http://www.foundrynet.com/solutions/appNotes/PDFs/802.1XWhite_Paper.pdf

Microsofts IAS Server
Internet Authentication Service (IAS) is Microsofts implementation of Remote Authentication Dial-in User Service
(RADIUS). It is used to accept RADIUS authentication requests from RADIUS clients, such as Foundrys network
switches, to validate the remote users credentials against an Active Directory domain controller. In addition to
authentication services, IAS can also perform authorization, auditing and accounting for user connections.

NOTE: For more information on Microsofts Internet Authentication Service (IAS), please refer to the following
Microsoft site:
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-
us/intwork/inbc_ias_RQSF.asp

Sample I AS I nstallation
The following procedures were used to install Microsoft IAS on a Windows 2000 Advanced Server running as an
Active Directory Domain Controller. You will need at least one Windows 2000 Active Directory server to
authenticate client users. For this example, IAS was installed onto the Domain Controller server running the
Active Directory database to provide seamless operation between IAS and Active Directory.

By installing IAS on each Active Directory Domain Controller, redundancy and load balancing can be achieved
with Foundry 802.1X Port Authentication. Multiple IAS authentication servers can be configured on each Foundry
device. If multiple IAS servers were defined, the Foundry device will authenticate against them in the order they
were added.

For complete IAS installation instructions, please refer to the following Microsoft web site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/
server/sag_ias_install.asp

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


IAS Installation Procedure
Perform the following steps to install Microsoft IAS and configure it for use with Foundrys 802.1X Port
Authentication.

Step 1: If you do not already have an Active Directory environment setup, you will need to install a Windows
2000 server and configure Active Directory on at least one server. Make sure your DNS servers are setup
correctly to function correctly with Active Directory.

Step 2: Install the Microsoft IAS service onto the Domain Controller running Active Directory. IAS can be found
on your Windows 2000 Server CD.

From Control Panel go to Add/ Remove Windows Components.
Select the Networking Services option and click on the Details button to add a new network
service.
Select the Internet Authentication Service component to install.

Figure 2. Installing IAS on Windows 2000 Server

Step 3: Install the latest Service Pack for Windows 2000 Server. Also apply any updates for IAS and 802.1X
that may be required. This step is very critical. From Microsofts home page (www.microsoft.com), select the
Downloads option from the Resources section and search for all 802.1X patches using 802.1X as the search
criteria for all products. At the time of this writing (March 3, 2003), the following patch was available:

Windows 2000 Patch: Using 802.1X Authentication on Computers Running Windows 2000
File Name: Q313664_W2K_SP4_X86_EN.exe

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 4: With IAS installed and all the latest service packs and patches applied, the next step is to enable IAS to
work with Active Directory. To register IAS in the default domain, perform the following steps:

Log in to the IAS server with administrative rights.
Open the IAS management screen from the Programs/Administrative Tools/Internet Authentication
Service menu option. You can also add it to your MMC management console to make it easier to access.
Right-click on Internet Authentication Service, and select Register Server In Active Directory to
enable IAS to work with Active Directory.

Figure 3. Registering IAS in Active Directory

Step 5: The next step is to setup the RADIUS server parameters. From the IAS management screen, perform
the following steps:

Right-click on Internet Authentication Service, and select Properties.
On the Service tab, select both log options to record successful and unsuccessful authentication
attempts.
On the RADIUS tab, set the UDP ports that will be used to communicate with the Foundry devices. For
this example, we will use the following ports:
o Authentication port: 1812
o Accounting port: 1813

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Figure 4. Service Tab Log Settings Figure 5. RADIUS Tab Port Settings

Step 6: Define the IAS RADIUS clients that will authenticate to this IAS server. This will include all the Foundry
devices that will be supporting 802.1X client authentication. Create a new IAS client entry for each Foundry
device. Foundry devices can also have multiple IAS RADIUS servers defined to eliminate single points of failure.

From the IAS management screen, right-click on Clients and select New Client.
Enter the name of the device to give it a Friendly Name and select RADIUS as the protocol.
Enter the IP Address or DNS Name of the Foundry device, select RADIUS Standard as the Client
Vendor, check the Client must always send the signature attribute in the request option, and
enter the shared secret that will be used to identify the Foundry device. This secret must be the same
string used on the Foundry device to define the RADIUS server.

Figure 6. Adding IAS Clients Foundry Devices
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 7: Create a Remote Access Policy to govern access.

From the IAS management screen, right-click on Remote Access Policies and select New Remote
Access Policy.
Enter a Policy Friendly Name to describe the policy.
Select the Attribute Type to regulate access with. The one that makes the most sense for Foundry
802.1X Port Authentication is Day-and-Time-Restriction.
Set the days and times that users are allowed to authenticate. This example allowed all days and times.

Figure 7. Access Policy With Day-And-Time Restriction

Once all of the conditions have been added (our example only uses the Day-And-Time-Restriction
condition), click on the Next button to proceed.
On the Add Remote Access Policy Permission screen, select Grant remote access permission and
click on the Next button to proceed.
On the Add Remote Access Policy User Profile screen, click on the Edit Profile button.

Figure 8. Granting Permission
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


On the Edit Dial-In Profile screen, select the Authentication tab and check the Extensible
Authentication Protocol option.
From the EAP type drop-down box, select MD5-Challenge option to support the Foundry
devices. Uncheck all other authentication types listed under the drop down-box.
On the Edit Dial-In Profile screen, select the Encryption tab and check the Strongest encryption
option. This step is not required for EAP-MD5, but is performed as a safeguard to eliminate weaker
encryption options is used in the future.
On the Edit Dial-In Profile screen, select the IP tab and check Client may request an IP address
to support DHCP.
Click on the OK button and then the Finish button to complete the Policy.

Figure 9. Setting EAP Type Figure 10. Setting Encryption Level

Step 8: Turn on Remote Access Logging.

From the IAS management screen, select the Remote Access Logging option. On the right pane,
right-click the Local File and select Properties.
Under the Settings tab, select the desired logging features.
Under the Local File tab, make sure the Log File Format is set to IAS Format and set the duration to
keep the log entries for.
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Figure 11. Setting Up Logging Features Figure 12. Setting Log Format & Size

Step 9: Configuring passwords for reversible encrypted format to support EAP-MD5. This step is required due
to the way passwords are handled using EAP-MD5.

From the Active Directory Users and Computers menu option, right-click the name of your Active
Directory domain and select Properties.
From the Properties screen, select the Group Policy tab. Highlight the Default Domain Policy and
click on the Edit button.
Under the Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
tree, set the Store password using reversible encryption to Enable.

Figure 13. Enabling Password Reversible Encryption for MD5 Support
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 10: Create the Active Directory User Accounts that will be used by each user to authenticate to the
network. One user account will need to be created for each person authenticating to Active Directory. For
installations that have existing Active Directory User Accounts, perform the configurations outlined in Step 11 for
each existing user account.

Step 11: Enable Dial-In access and Password Reversible Encryption for user accounts.

After the account is created, double-click on the user account to display the user account Properties.
Under the Dial-In tab, click on the Allow Access radio button for Remote Access Permission.
Under the Account tab, check the Store password using reversible encryption option.

NOTE: If your Active Directory is already populated with the existing user accounts, you must reset the
passwords after completing Step 11 to activate the Reversible Encrypted Password Format configured in Step 9
and Step 11. This can be accomplished by having each user change their passwords for their Active Directory
user account or by the system administrator. For new accounts created in Step 10, the passwords will have the
reversible encryption feature set due to the configuration changes made in Step 9.

Figure 14. Granting Dial-in Access Figure 15. Setting Password Reversible Encryption

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Configuring 802.1X Port Authentication
Foundry devices will support up to eight RADIUS servers and will authenticate against them in the order they
were added to the devices configuration. To configure a Foundry device to support 802.1X Port Authentication,
the following procedures are required:

Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s)
(RADIUS, IAS, etc.).
Configure the Foundry device to act as the Authenticator.
Configure the Foundry devices interaction with the Client device (optional step).

Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more
RADIUS, IAS, or other authentication servers.

Syntax: [no] aaa authentication dot1x default <radius | none>

BigIron(config)# aaa authentication dot1x default radius

Configure the device to use one or multiple RADIUS, IAS, or other authentication servers. Set the authentication
and accounting port numbers to match the RADIUS servers settings and specify the secret key to authenticate
to the RADIUS server. The secret key string must be identical to the secret key string used on the authentication
server.

Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number> acct-port <number> default key
<string> dot1x]

BigIron(config)# radius-server host 192.168.100.100 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x
BigIron(config)# radius-server host 192.168.101.150 auth-port 1812 acct-port 1813
default key mysecretpassword dot1x

Step 2: Enable the 802.1X authentication feature on the Foundry device and enable the necessary ports for
802.1X Port Authentication. This enables the Foundry device to act as an 802.1X Authenticator.

Syntax: [no] dot1x-enable

BigIron(config)# dot1x-enable

To configure 802.1X for individual ports, you can use the enable command with the port number. A range can
also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for
critical servers that do not require 802.1X Port Authentication access may be lost to these hosts.

BigIron(config-dot1x)# enable Ethernet 2/1 to 2/24
BigIron(config-dot1x)# write memory

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 3: For all interfaces using 802.1X authentication, enable the control mode to force-authorized, force-
unauthorized, or auto. Auto leaves the controlled port in unauthorized mode until the RADIUS server validates
the authentication.

BigIron(config)# interface e 3/1
BigIron(config-if-3/1)# dot1x port-control auto

The switch is now enabled for 802.1X Port Authentication. Make sure the RADIUS server is properly configured
to authenticate each user.

Other 802.1X Commands
Some other important 802.1X commands and options include:

Syntax: show dot1x Displays 802.1X configuration information
Syntax: show dot1x config <portnum> Displays detailed 802.1X configuration for a port
Syntax: show dot1x statistics <portnum> Displays 802.1X statistics for a port
Syntax: clear dot1x statistics all | <portnum> Clears 802.1X statistics for all ports or a specific port

Multiple Host Situations
Foundrys 802.1X Port Authentication defaults to one device per port. For installations that are using more than
one host per 802.1X-enabled port, the following commands should be reviewed.

Syntax: [no] dot1x multiple-hosts Allows multiple hosts on an 802.1X enabled port
Syntax: [no] timeout security-hold-time <seconds> Defines the amount of time the port is locked when
multiple hosts are detected on a port configured for only
one host. The default is 60 seconds.

If the multiple-hosts option is used, the port will allow multiple devices to access the network once the first
802.1X client authenticates successfully. When the authenticated client logs off the network and terminates the
authenticated session, the port will deny access to the remaining hosts. Another client must authenticate
successfully to enable the port for multiple-host access again.

NOTE: For more information on MAC Address Locking and 802.1X authentication, refer to the Foundry Switch
and Router Command Line Interface Reference and the Foundry Security Guide.

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Configuring Windows Clients
At the time of this writing (March 2003), Foundry Networks has tested its 802.1X Port Authentication with the
following clients:

Microsoft Windows 2000 Professional English version
(must have SP3 and the Q313664_W2K_SP4_X86_EN.exe patch)
Microsoft Windows XP English version (with SP1)

After the installation of the required service packs and/or patches, Windows 2000 clients will be configured with
the necessary files to support 802.1X EAP-MD5 authentication. Windows XP clients include 802.1X natively but
must have SP1 to work with DHCP properly.

Perform the following steps to configure the Windows client for 802.1X EAP-MD5 support:

Step 1: Open the Properties window for your Ethernet network connection. With 802.1X support installed,
you should see the Authentication tab.

Check the Enable network access control using
IEEE 802.1X box.
Select the proper EAP type by selecting MD5-
Challenge from the EAP drop-down box.
The Authenticate as computer when computer
information is available selection is optional.
Click the OK button when all the selections have
been made to save the changes.

Figure 16. Setting Client EAP Type

In order to simplify the authentication process,
enable the Show icon in taskbar when
connected option from the General tab. For
Windows XP clients, this will allow the balloon help
feature to display prompts for entering
authentication information and provide error
messages for failed authentication attempts.
Reboot the client if necessary.
Figure 17. Enabling Taskbar Icon
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Testing The Client Connection
To test the Windows client, connect the device to the Foundry devices 802.1X-enabled port. After a short period,
the port and the clients NIC will synchronize and the 802.1X EAP-MD5 authentication process will begin. As the
Client completes its synchronization process, the Network Icon in the task bar will show the Local Area
Connection speed. The EAP-MD5 port authentication process will begin and the user will be prompted to enter
their Local Area Connection credentials (username and password).

Enter the User Name and Password information
required to authenticate to the IAS Active Directory
server.
The Logon Domain information is not required.

Figure 18. Local Area Connection Credential Request

If the IAS Active Directory server validated the authentication credentials entered, the client is allowed onto the
network. If the Active Directory server did not validate the authentication credentials, a message similar to the
following will be displayed:

The EAP-MD5 authentication will timeout and the user will be
prompted for their authentication credentials again.

Figure 19. Failed 802.1X Authentication Message

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Additional Tips
If the attempt to obtain a DHCP address fails due to a timing issue (the authentication process was not successful
before the DHCP request timed out) the client may not have a proper DHCP address. Once authentication is
successful and a network connection is granted by the Foundry device, Windows 2000 Professional (SP3 with all
802.1X patches) and Windows XP (SP1) clients should renegotiate a DHCP address with the DHCP server after a
short period of time.

If this is not the case, you can manually release and renew the DHCP address with the following command line
commands:

C:\> ipconfig /release
C:\> ipconfig /renew

These commands can also be placed in a batch file and placed onto the desktop to speed the process of renewing
a DHCP address. An example of the batch file commands are:

ipconfig /release
ipconfig /renew
pause
exit

If you need to manually control the Local Area Connection authentication prompt, temporarily disconnect the
network cable from the client for 10 seconds and then reattach it. This will trigger a new EAP-MD5
authentication process and allow the user to enter the authentication credentials again.

Other 802.1X Clients Tested
At the time of this writing, Foundry Networks has also tested the following 802.1X EAP-MD5 clients:

AEGIS Windows Client version 2.0.0 from Meetinghouse Data Communications. The AEGIS Windows
Client offers a single sign on solution. For more information on this client, visit: www.mtghouse.com
AEGIS MAC OS Client version 1.2.1 from Meetinghouse Data Communications. For more information on
this client, visit: www.mtghouse.com

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Configuring Foundrys Dynamic VLAN Feature
With software release 07.6.03, a new feature called Dynamic VLAN Assignment is supported with Foundrys
802.1X Port Authentication. Dynamic VLAN Assignment allows network administrators to assign a specific VLAN
to an individuals Windows User Account. When the individual successfully authenticates to the network using
802.1X Port Authentication, they are automatically placed into their respective VLAN.

NOTE: This feature is supported on port-based VLANs only. This feature cannot be used to place an 802.1X-
enabled port into a Layer 3 protocol VLAN. For more information on Foundrys 802.1X Dynamic VLAN Assignment
feature, refer to the 07.6.03 Foundry Switch and Router Command Line Interface Reference and Release Notes.

Foundry uses the following standard RADIUS attributes returned from Microsofts IAS RADIUS service to place the
port into the proper VLAN:

Attribute Name Type Value
Tunnel-Type 064 13 (decimal) VLAN
Tunnel-Medium-Type 065 6 (decimal) 802
Tunnel-Private-Group-ID 081 <vlan-name> (string) either the name or the number
of a VLAN configured on the Foundry device

The following occurs under Dynamic VLAN Assignment:

1. When the user enters their 802.1X credentials, the Foundry device sends the information to the IAS server
using the RADIUS protocol.
2. The Remote Access Policies on the IAS server is used to determine if the users account is a member of a
particular VLAN Group. If the user account is part of a VLAN Group and the authentication is successful, the
VLAN ID associated with the VLAN Group is sent back to the Foundry device using the RADIUS Tunnel-
Private-Group-ID attribute.
3. The port on the Foundry device is dynamically assigned to the VLAN matching the VLAN ID and the user
becomes a member of the Port-Based VLAN.

Conditions that may trigger an unsuccessful authentication and/or Dynamic VLAN assignment include:

If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message do not have
the values specified above, the Foundry device will ignore the three Attribute-Value pairs. If the
authentication credentials supplied were valid, the Foundry device authorizes the port, but the port is not
dynamically placed in a VLAN. Otherwise, the client is not authorized.
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message have the
values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client
will not be authorized.
When the Foundry device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks its
VLANs for a match using both the name and the numeric ID. If there is a match, the port is placed in the
VLAN whose ID corresponds to the VLAN Name or ID. If there is no match, the client is not authorized.

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Configuring VLAN Groups
The first step is to define the VLAN Groups on the Active Directory server and assign the user accounts to each
VLAN Group. The VLAN Groups are used by IAS to assign the proper VLAN ID to each user account.

Step 1: Using the Active Directory Users and Computers administrative tool, create the VLAN Groups that
will be used for each VLAN ID. One VLAN Group must be created for each VLAN defined on the Foundry device.
The VLAN Groups must be created as Global/Security groups.

Name the VLAN Group with a descriptive name that
describes the VLAN Groups function.
Check the Global Group Scope parameter.
Check the Security Group Type parameter.

Figure 20. New Global Security Group

Step 2: Add the user accounts into the proper VLAN Groups. IAS
will use the group memberships to determine which VLAN ID to
send back to the Foundry device for dynamic VLAN port
assignment.

Step 3: Repeat this step to add each VLAN Group required.

Figure 21. Add Group Members

Configuring Remote Access Policies
Once the VLAN Groups have been created with the proper user account memberships, IAS Remote Access
Policies need to be defined. The IAS Remote Access Policies will allow the IAS service to compare the user
account being authenticated against the group memberships of each VLAN Group to determine the correct VLAN
ID to return to the Foundry device.
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 1: Using the Remote Access Policies option on the Internet Authentication Service management
interface, create a new VLAN Policy for each VLAN Group defined in the previous step. The order of the remote
access policies is important. The most specific policies should be placed at the top of the policy list and the most
general at the bottom. For example, if the Day-And-Time Restriction policy is still present, it should be moved to
the bottom or deleted to allow the VLAN Group policies to take precedence.

Right click Remote Access Policies and select New
Remote Access Policy.
Enter a Policy Friendly Name that describes the policy.
Each Remote Access Policy will be matched to one VLAN
Group. An example may be, Allow - VLAN 10 Policy.
Select the Next button to continue.

Figure 22. New Remote Access Policy for VLAN Group

The Conditions Window will be displayed. Select
Add to add the condition that this policy will act on.
Select the Windows-Groups attribute type and
click on the Add button.

Figure 23. Specifying Windows-Group Condition

The Groups window will be displayed. Click on the Add
button and select the VLAN Group that matches this new
policy. Only one VLAN Group should be associated with
each policy.
Select the OK and Next options in the next few
screens to accept the group value.

Figure 24. Adding VLAN Group
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


When the Permissions window is
displayed, select the Grant
remote access permission
option and select Next. This
will grant access based on group
membership.
When the User Profile window
appears, select the Edit Profile
button.

Figure 25. Granting Permissions and User Profile Screens

The Edit Dial-In Profile screen will be displayed and there will be several tabs displayed.

On the Edit Dial-In Profile screen, select the
Authentication tab and check the Extensible
Authentication Protocol option.
From the EAP type drop-down box, select MD5-
Challenge option to support the Foundry devices.
Uncheck all other authentication types listed under the
drop down-box.

Figure 26. Authentication Tab Settings

Encryption tab and check the Strongest
encryption option. This step is not required for EAP-
MD5, but is performed as a safeguard to eliminate
weaker encryption options is used in the future.

Figure 27. Encryption Tab Settings
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


On the Edit Dial-In Profile screen, select the IP tab and check Client may request an IP address
to support DHCP.

Advanced tab. The current default parameters
returned to the Foundry device should be Service-
Type and Framed-Protocol.
Select the Add button to add the additional three
RADIUS VLAN attributes required for 802.1X
Dynamic VLAN Assignment.

Figure 28. Connection Attributes Screen

The RADIUS Attribute screen is displayed.
From this list, three RADIUS attributes will be
added:
o Tunnel-Medium-Type
o Tunnel-Pvt-Group-ID
o Tunnel-Type

Figure 29. RADIUS Attribute Screen

Select Tunnel-Medium-Type and click on the
Add button.
On the Multivalued Attribute Information screen,
The Enumerable Attribute Information screen is
displayed. Select the 802 value from the Attribute
Value drop down box.
Select OK to accept the value.
Return to the RADIUS Attribute Screen (Figure 29)

Figure 30. 802 Attribute Setting for Tunnel-Medium-Type
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Select Tunnel-Pvt-Group-ID and click on the
Add button.
The Attribute Information screen is displayed. Enter
the correct VLAN ID or Name for this policy. Users
belonging to the VLAN Group specified in this policy
will be assigned to the VLAN ID specified.

Figure 31. VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID

Select Tunnel-Type and click on the Add button.
The Enumerable Attribute Information screen is
displayed. Select the Virtual LANs (VLAN) option
from the Attribute Value drop down box.
and select the Close button.

Figure 32. VLAN Attribute Setting for Tunnel-Type

The completed Advanced Tab should resemble the
illustration in Figure 33.

Repeat this step, Configuring Remote Access Policies,
for each VLAN Group defined in the Active Directory.
Remember to place the most general Remote Access
Policies at the bottom of the list and the most specific at
the top of the list.

Figure 33. Completed Advanced Tab
I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Creating Port-Based VLANs
Port-Based VLANs must be created on each Foundry device participating in the 802.1X Dynamic VLAN Assignment
topology. 802.1X Dynamic VLAN Assignment is only supported on port-based VLANs. This feature cannot be
used to place an 802.1X-enabled port into a Layer 3 protocol VLAN.

Step 1: Create the necessary Port-Based VLANs on each Foundry device. The VLAN IDs or Names must match
the Tunnel-Pvt-Group-ID used in the Remote Access Policies created in the previous step.

To create the port-based VLAN: Syntax: vlan <vlan-id> by port

To add ports: Syntax: untagged ethernet | pos <portnum> [to <portnum> | ethernet <portnum>]

To turn on Spanning Tree Protocol: Syntax: [no] spanning-tree

EXAMPLE
This example creates a port-based VLAN with the VLAN ID of 10 and assigns an untagged uplink port E7/24 to
the VLAN. Users matching the VLAN Group ID of 10 will be automatically added to this VLAN using 802.1X
Dynamic VLAN Assignment.

Dept_Switch-1(config)# vlan 10 by port
Dept_Switch-1(config-vlan-10)# untagged eth 7/24
Dept_Switch-1(config-vlan-10)# spanning-tree
Dept_Switch-1(config-vlan-10)# exit
Dept_Switch-1(config)# write memory

Step 2: Repeat this Step 1 for each Port-Based VLAN that needs to be created.

Testing The Dynamic VLAN Feature
In order to successfully test the 802.1X Dynamic VLAN Assignment feature, the following components must be
fully installed and configured according to the procedures outlined in this White Paper:

IAS RADIUS Server
Active Directory Server
Foundry 802.1X capable device with version 07.6.03 code or later
802.1X compliant workstation or file server

Make sure the order of the Remote Access Policies is correct. The VLAN Group Policies should be listed ahead of
any other general policies such as the Day-And-Time Restriction Policy.

Step 1: To ensure that Microsofts IAS service recognizes all the new Remote Access Policies and changes, stop
and start the IAS service. This can be done from the Internet Authentication Service management screen by
right clicking on the Internet Authentication Service (local) option and selecting Stop Service to stop the
IAS service and Start Service to start the IAS service.

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Step 2: Using a workstation that is configured properly for 802.1X client support, connect to the Foundry
devices 802.1X enabled port.

Step 3. Follow the steps outlined in the section, Testing The Client Connection to authenticate the client. Use
one of the accounts that were added to a valid VLAN Group created on the Active Directory server.

Step 4. Once the client is authenticated, check the Foundry device to make sure the clients port is added to
the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN
assignment:

Syntax: show run Displays the dynamically assigned ports in each Port-Based VLAN.

Syntax: show interface <port> Displays detailed port information showing the original Layer 2 VLAN the
port belonged to before the automatic assignment and the VLAN
membership after the automatic assignment.

EXAMPLE Show Run Command
This example shows the results of the show run command. An 802.1X client was authenticated using a valid
Windows account on the Active Directory server that is a member of VLAN Group 5. . From the show run
illustration, the 802.1X client is connected to port Ethernet 22. After successful authentication, port Ethernet 22
is automatically assigned to Port-Based VLAN 5 as an untagged port.

SW-telnet@FI4802-PREM#show run
ver 07.6.03B2T51
!
dot1x-enable
enable ethe 20 to 29
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 by port
!
vlan 20 by port
!
vlan 5 by port
untagged ethe 22

EXAMPLE Show Interface Command
This example shows the dynamic VLAN information for port Ethernet 22 after the automatic VLAN assignment
was made. Note the original VLAN ID was 1 and the new dot1x-RADIUS assigned VLAN is 5.

SW-telnet@FI4802-PREM#sho int e22
FastEthernet22 is up, line protocol is up
Hardware is FastEthernet, address is 00e0.8041.a315 (bia 00e0.8041.a315)
Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx
Member of L2 VLAN ID 5 (dot1x-RADIUS assigned), original L2 VLAN ID is 1,
port is untagged, port state is FORWARDING
STP configured to ON, priority is level0, flow control enabled
mirror disabled, monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
: : : :
: : : :

I
R
O
N
S
H
I
E
L
D

W
H
I
T
E

P
A
P
E
R


Foundry Networks, Inc.
Headquarters
2100 Gold Street
P.O. Box 649100
San J ose, CA 95164-9100

U.S. and Canada Toll-free: (888) TURBOLAN
Direct telephone: +1 408.586.1700
Fax: 1-408-586-1900
Email: info@foundrynet.com
Web: http://www.foundrynet.com

Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. All other
trademarks are the properties of their respective owners.

2003 Foundry Networks, Inc. All Rights Reserved.

WP 8021x Authentication Active Directory

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

WP 8021x Authentication Active Directory

Caricato da

Copyright:

Formati disponibili

I

Potrebbero piacerti anche