Configuring 802.1X on Cisco Switches with Failover NPS (Windows RADIUS with AD)

Consider the practical use of Windows Active Directory + NPS (2 servers for fault tolerance) + 802.1x standard for access control and user authentication - domain computers - devices. You can get acquainted with the theory of the standard in Wikipedia, by reference: IEEE 802.1X

Since the “laboratory” is limited in resources, the roles of the NPS and the domain controller are compatible, but I recommend that you still divide such critical services.

I don’t know the standard ways to synchronize the configurations (policies) of Windows NPS, so we’ll use PowerShell scripts run by the task scheduler (by my former colleague). For authentication of domain computers and for devices that cannot 802.1x (phones, printers, etc.), a group policy will be configured and security groups will be created.
')
At the end of the article I will talk about some of the intricacies of working with 802.1x - how you can use unmanaged switches, dynamic ACL, etc. I will share information about captured “glitches” ...

Let's start with the installation and configuration of NPS on Windows Server 2012R2 failover (everything is the same for 2016): through the Server Manager -> Add Roles and Features Wizard, we only select the Network Policy Server.



or using PowerShell:

Install-WindowsFeature NPAS -IncludeManagementTools 

A small clarification - since for Protected EAP (PEAP) you will definitely need a certificate confirming the authenticity of the server (with the appropriate use rights), which will be trusted by client computers, you will most likely need to install the Certification Authority role as well. But we will assume that CA is already installed ...

Let's do the same on the second server. Create a folder for the C: \ Scripts script on both servers and a network folder on the second server \\ SRV2 \ NPS-config $

On the first server, create a PowerShell script C: \ Scripts \ Export-NPS-config.ps1 with the following content:

 Export-NpsConfiguration -Path "\\SRV2\NPS-config$\NPS.xml" 

After this, we configure the task in Task Sheduler: “ Export-NpsConfiguration ”

 powershell -executionpolicy unrestricted -f "C:\Scripts\Export-NPS-config.ps1" 

Run for all users - Run with the highest rights
Daily - Repeat the task every 10 minutes. within 8 hours

On the backup NPS, configure configuration import (policies):
Create a PowerShell script:

 echo Import-NpsConfiguration -Path "c:\NPS-config\NPS.xml" >> C:\Scripts\Import-NPS-config.ps1 

and the task of its implementation every 10 minutes:

 powershell -executionpolicy unrestricted -f "C:\Scripts\Import-NPS-config.ps1" 

Run for all users - Run with the highest rights
Daily - Repeat the task every 10 minutes. within 8 hours

Now, for testing, we’ll add to the NPS on one of the servers (!) A pair of switches in the RADIUS clients (IP and Shared Secret) two connection request policies: WIRED-Connect (Condition: “NAS port type - Ethernet”) and WiFi -Enterprise ( Requirement : “NAS port type - IEEE 802.11”), and Access Cisco Network Devices (Network Admins) network policy:

 :  Windows - domain\sg-network-admins :    -    (PAP, SPAP) :  RADIUS:  - Service-Type - Login    - Cisco-AV-Pair - Cisco - shell:priv-lvl=15 

After setting, after 10 minutes, all clients \ policies \ settings should appear on the backup NPS and we will be able to log in to the switches using the ActiveDirectory account, a member of the domain \ sg-network-admins group (which we created in advance).

Let's move on to setting up Active Directory - we will create group and password policies, we will create the necessary groups.

Computers-8021x-Settings Group Policy:

 Computer Configuration (Enabled) Policies Windows Settings Security Settings System Services Wired AutoConfig (Startup Mode: Automatic) Wired Network (802.3) Policies 

Let's create the sg-computers-8021x-vl100 security group, where we will add the computers that we want to distribute to vlan 100 and configure filtering for the previously created group policy for this group:



You can make sure that the policy worked successfully by opening “Network and Sharing Center (Network and Internet Settings) - Changing adapter settings (Configuring adapter settings) - Adapter properties”, where we can see the “Authentication” tab:



When you are convinced that the policy is successfully applied, you can proceed to configuring the network policy for NPS and access level switch ports.

Let's create the neag-computers-8021x-vl100 network policy:

 Conditions: Windows Groups - sg-computers-8021x-vl100 NAS Port Type - Ethernet Constraints: Authentication Methods - Microsoft: Protected EAP (PEAP) - Unencrypted authentication (PAP, SPAP) NAS Port Type - Ethernet Settings: Standard: Framed-MTU 1344 TunnelMediumType 802 (includes all 802 media plus Ethernet canonical format) TunnelPrivateGroupId 100 TunnelType Virtual LANs (VLAN) 

Typical settings for the switch port (note that the “Multidomain” authentication type is Data & Voice, and it is also possible to authenticate to the mac address. For the transition period, it makes sense to use in the parameters:

 authentication event fail action authorize vlan 100 authentication event no-response action authorize vlan 100 

Vlan id is not “quarantine”, but the same where the user’s computer should go to after successfully logging in - until we are convinced that everything works as it should. The same parameters can be used in other scenarios, for example, when an unmanaged switch is plugged into this port and you want all devices connected to it and not authenticated to fall into a specific vlan (“quarantine”).


You can make sure that the computer / phone is successfully authenticated with the command:

 sh authentication sessions int Gi1/0/39 det 

Now we will create a group (for example, sg-fgpp-mab ) in the Active Directory for phones and add one test machine to it (in my case it’s the Grandstream GXP2160 with the mass address 000b.82ba.a7b1 and the corresponding domain account \ 000b82baa7b1 ) .

For the created group, we will lower the password policy requirements (using Fine-Grained Password Policies through the Active Directory Administrative Center -> domain -> System -> Password Settings Container) with the following Password-Settings-for-MAB parameters:



thus allow the use of the mass-address of the devices as passwords. After that, we can create a network policy for 802.1x authentication method mab, let's call it neag-devices-8021x-voice. The parameters are as follows:

• NAS Port Type - Ethernet
• Windows Groups - sg-fgpp-mab
• EAP Types: Unencrypted authentication (PAP, SPAP)
• RADIUS Attributes - Vendor Specific: Cisco - Cisco-AV-Pair - Attribute value: device-traffic-class = voice

after successful authentication (do not forget to configure the switch port), look at the information from the port:


Now, as promised, consider a couple of not quite obvious situations. For example, we need to connect computers \ user devices via an unmanaged switch (switch). In this case, the port settings for it will look like this:


PS A very strange glitch is noticed - if the device was connected through such a switch, and then it was plugged into a managed switch, then it will NOT work until we reboot (!) The switch. While I did not find other ways to solve this problem.

Another thing related to DHCP (if using ip dhcp snooping) is without these options:

 ip dhcp snooping vlan 1-100 no ip dhcp snooping information option 

for some reason, the correct ip address will not get ... although it may be a feature of our DHCP server

And Mac OS & Linux (in which support for 802.1x native) try to be authenticated by the user, even if you are configured for mas-address authentication.

In the next part of the article we will consider the use of 802.1x for Wireless (depending on the group to which the user account belongs, we will “throw” it into the appropriate network (vlan), although they will connect to the same SSID).