Versions Compared

Version Old Version 5 New Version 6
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Supplicant: The supplicant is the user device that wants access to the network resources through the switch. It is a client or a host that provides the user name and password to the authentication server to obtain network access rights.
  • Authenticator: The PICA8 Switch functions as the authenticator in the NAC authentication system. As an authentication gateway device, PICA8 Switch transfers authentication information between the client and the authentication server, and controls network access and authorization of the client.
  • AAA server: The authentication server is the entity that validates authentication credentials provided by the supplicant. RADIUS is a commonly used authentication server. The administrator configures the user's authentication and authorization information on the AAA server that is used to validate the client in the NAC authentication process and determine whether the client can access the network resources.

NOTE:

  •   The administrator needs to configure both the AAA server and PICA8 switch to deploy the NAC function successfully.
  •   From PICOS version 2.11.22, the NAC authentication function is extended to support Web authentication, downloadable ACL and dynamic ACL.

Host Mode

Host Mode refers to whether a single or multiple clients are allowed access on a single switch port. PICOS NAC function is a combination of switch port and the client’s MAC address learned on that switch port to implement user access control. Each switch port can be configured to operate in either single or multiple host mode.

...

Code Block
admin@Xorplus# run show dot1x server
Server-IP      Reachability
----------------  -------------
10.10.50.65    reachable  

admin@Xorplus# run show dot1x all
Global-Info:
---------------------------------------------------------------------------------
NAS-IP           :  10.10.1.1
Block-VLAN         :  2
Block-VLAN-IP        :  172.16.1.1/24
WEB-AUTH-MODE           :  Remote
Server-Fail-VLAN      :  100
--------------------------------------------------------------------------------

NOTE:

A maximum of three RADIUS servers can be configured on the switch. The server with the smallest IP address and reachable will be used for NAC authentication.

Block VLAN and Dynamic VLAN

...

After creating a block VLAN, you can use the run show vlans command to view VLAN information.

NOTE:

When deploying voice VLAN feature together with NAC feature, pay attention the following points:

  •   It is strongly recommended not to use both voice VLAN and dynamic VLAN on the port enabled with NAC function.
  •   If both the voice VLAN and the dynamic VLAN are used on the port enabled with NAC, the packet transmission depends on the tagged mode of the voice VLAN.

Ø  If the tagged mode of the voice VLAN is tag, the packets received from the port are transmitted through the voice VLAN, the packets sent from the port are tagged with the voice VLAN.

Ø  If the tagged mode of the voice VLAN is untag, the untagged packets received from the port are transmitted through the dynamic VLAN, the packets sent from the port are also untagged.

Ø  If the tagged mode of the voice VLAN is untag, the received packets tagged with the voice VLAN ID are forwarded through the voice VLAN and if the received packets are tagged with the dynamic VLAN ID then the packets will be forwarded through the dynamic VLAN. The packets will be dropped if the received tagged VLAN ID matches neither the dynamic VLAN nor the voice VLAN.

  •  If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.

Fallback to WEB Function

PICOS NAC function includes three authentication modes: 802.1X authentication, MAB authentication and Central Web Authentication (CWA). To use NAC to control users' network access rights, you must enable one or more authentication modes on a switch interface. Note that: CWA authentication process relies on MAB authentication. If you want to deploy CWA, you need to enable MAB authentication first.

...

The application scenarios of the three authentication modes are different, the below table compares the three authentication modes.

Items

802.1X Authentication

MAB Authentication

CWA Authentication

Client Software

The 802.1X client software is required to be installed on the supplicant device.

Not required.

The supplicant needs to install a Web browser.

Characteristics

The Extensible Authentication Protocol (EAP) is used to exchange authentication information between the client, the switch and the authentication server.

High security.

Complex management as it requires  registering each MAC address on the AAA server.

Flexible deployment.

Scenarios

Applicable to scenarios where requirements for security are high.

Can be deployed in scenarios where 802.1X cannot be deployed.

Authentication of dumb terminals such as printers and fax machines.

Applicable to temporary access or guest access scenarios.

802.1X Authentication

802.1X authentication is an authentication method that controls the network access rights of users based on the switch port and the MAC addresses of clients learned on that port. The Extensible Authentication Protocol (EAP) packet is used to exchange authentication information between the supplicant, authenticator and authentication server. This technology is mainly used in networks with high security requirements. 802.1X authentication requires 802.1X client software to be installed on the supplicant.

...

You can use the set protocols dot1x interface <interface-name> auth-mode web command to enable WEB authentication mode on an interface.

NOTE:

  •   The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.

Ø  From CLI configuration, you need to enable MAB authentication before enabling CWA authentication.

Ø  The CWA authentication works in conjunction with MAB authentication. The CWA authentication process will be implemented after the MAB authentication fails.

  •  To implement CWA authentication, there are a series of configurations on both the switch and AAA server, for details of how to configure CWA, please refer to section Example for Configuring CWA Authentication and the solution documentation Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.
  • Both L2 and L3 connections between the client and the switch are supported when deploying CWA authentication.

Redirect URL

In the CWA authentication process, when the user connects to the network and tries to access a web page, the user is redirected to the authentication page on the web authentication server. Only after entering the correct username and password can the user successfully access the network resources.

...

RADIUS Accounting for 802.1X and MAB

NOTE:

RADIUS accounting applies only to 802.1X and MAB authentication procedures.

Enterprises or carriers need to charge users who are accessing different enterprise or carrier services such as Internet to be able to accurately and effectively calculate billing information for their customers

...

  • DAS: The component that resides on the NAS (switch) that processes and replies to the Change-of-Authorization (CoA) Request and Disconnect messages.
  • DAC: The component that sends CoA-Request and Disconnect messages to the Dynamic Authorization Server. This component often resides on the RADIUS server. For details, please refer to RFC5176.

NOTE:

  •   The CoA feature provides network administrators the flexibility to remotely control authorization changes of clients.
  •   FreeRADIUS server does not support DAC function. To support DAC function, user needs to connect to an AAA platform that supports DAC of CoA function, such as PacketFence.

CoA includes two types of message flows: Disconnect and Change-of-Authorization (CoA) processes. Disconnect message terminates a user session immediately whereas CoA message modifies the user session authorization attributes.

...

Template of Downloadable ACL:

sequence [0..9999] from destination-mac-address <macaddr>

sequence [0..9999] from destination-address-ipv4 <IPv4Net>

sequence [0..9999] from source-address-ipv4 <IPv4Net>

sequence [0..9999] from destination-address-ipv6 <IPv6Net>

sequence [0..9999] from source-address-ipv6 <IPv6Net>

sequence [0..9999] from destination-port <uintrange>

sequence [0..9999] from source-port <uintrange>

sequence [0..9999] from ether-type [1501..65535]

sequence [0..9999] from vlan [1..4094]

sequence [0..9999] from protocol icmp

sequence [0..9999] from protocol icmp [type|code] [0..254]

sequence [0..9999] from protocol igmp

sequence [0..9999] from protocol ip

sequence [0..9999] from protocol tcp

sequence [0..9999] from protocol ospf

sequence [0..9999] from protocol others [0..255]

sequence [0..9999] then action [discard|forward]

and is the logical operator between the matching fields with the same sequence number, that is, to be considered to match a firewall filter rule and included in a class, the packets must match all of the matching fields with the same sequence number. NOTE that there is a drop rule for each firewall filter rule by default.

NOTE:

  •   If the format or the content of the downloadable ACL do not meet the template conditions mentioned above, the ACL rule fails to be parsed and applied to the hardware.
  •   On the AAA server, make sure you use only one Pica8-IP-Downloadable-ACL-Name attribute which carries the downloadable ACL name, but you can have multiple Pica8-IP-Downloadable-ACL-Rule attributes.

The following image shows the format of the downloadable ACL in the Access-Accept message which is sent from the AAA server to the switch:

...

The employment of the dynamic ACL and the configuration examples on the ClearPass/Cisco ISE and the switch are detailed in the document Configuring Dynamic and Downloadable ACL for ClearPass and Configuring Dynamic and Downloadable ACL on Cisco ISE in Typical Configuration of NAC.

NOTE:

  •   Every dynamic ACL rule will add matching source MAC rule automatically. So it is not supported to configure source MAC rule for dynamic ACL.
  •   The filter name configured in the filter-id must be the same as the filter name of the dynamic ACL configured on the switch.

Response to session-timeout Attribute

...

  1. Click on Policy Elements -> Dictionaries -> System -> Radius -> RADIUS Vendors.
  2. Click on Import and choose the Pica8 dictionary file, now click import to load the dictionary file.

You should be able to see Pica8 dictionary file in the list of vendor dictionaries after successful import.Image ModifiedImage Modified

  1. You can also create your dictionary file here by clicking Add and adding attributes as mentioned in dictionary file.
  2. Please note adding a dictionary file manually you need to enter the attributes as they are in the dictionary files. The two most important items are the VENDOR name and ID and Pica8-AVPair attribute. The VENDOR name must be set to Pica8 and the ID should be 35098.
  3. The dictionary file for Cisco ISE is attached below:

...