CCNP SWITCH and GNS3 – part 2.1 The theory behind AAA and Dot1x authentication
December 17, 2010 2 Comments
When I started to learn authentication methods using AAA and port-based authentication using dot1x for CCNP Switch exam I was very excited abut this stuff.
I would like to talk about AAA, dot1x and how the GNS3 can help us to practise it but first we should spend some time reading the theory behind this cool stuff:
What does shortcut AAA stands for?
- Authentication – Verify user identity
- Authorization- Specifies permitted task for user
- Accounting – Provides billing, auditing and monitoring
I can read it about AAA in Cisco Press book but can you give me some examples of AAA?
Imagine a guy that comes every morning to his work. The guards keep watching the main entrance and guy is is not allowed to pass until he proves his identity. Each workers holds his/her own identity card and t is necessary to show it to the guards. If identity card is valid and photo from card matches the guy’s appearance he is allowed to cross the gate.
We call this process authentication – someone must prove that he really is a person for him/her he acts.
And what about authorization?
After the guy is authenticated by entrance guards he comes in front of block A buildings. The door is locked and guy must use his card to unlock the door. He can unlock block A door but he can’t unlock the block B or C door because his card was programmed only for block A entrance.
This is what we call authorization – different users have different level of rights.
How is accounting deployed in this example?
When guy opens the block A door, the card ID and time is sent and recorded to server. The entry is written in to log and it can be exactly determined who and when unlock the block A door.
This is an accounting – it tells us when particular action begun (ended) and status of this action.
Another example of accounting is your phone bill with detailed list of your calls.
OK, I got the point but how is it related with CCNP SWITCH?
CCNP Switch exam handles authentication only. You have already learnt how to setup authentication locally on switch/router during your CCNA studies. For CCNP level you need to learn how to configure switch for establishing communication with external authentication server (Radius) for authentication purpose. The Radius server is AAA server and can authenticate users that are trying connect to switch . It can also authenticate computers trying to get access to the network. It is called dot1x or port-based authentication.
What role does switch and Radius server plays in this process?
Radius server is the real boss in this game. It tells to switch if user or PC access is granted (Access accept) or not (Access rejected). In the example with and guy and guards , the guards represent the authenticator (switch) and Radius (authentication server) at the same time. They check guy’s card and make authentication decision. Guy represents a client which requires access to the network or to switch but access is granted only if authentication is successful.
What is the benefit of AAA server?
Imagine a network with hundred network devices and situation when it is necessary to change username and password on these devices. How long does it take? If it was AAA server implemented in your network you would need to change credentials only in Radius server configuration.
Ok, I know the theory behind dot1x and AAA and it is time to tell us your secret. So the question is how we can practise this stuff in GNS3?
As I said I was excited with aaa authentication and dot1x. So it was almost logical that I setup Free Radius server and let the Radius authenticate login access to switches in my home LAB. Unfortunately I was too busy to configure dot1x port-based authentication because except of dot1x server Radius configuration you also need to configure dot1x client on PC.
I configured dot1x on switches but it was like using car simulator instead of driving real car. No real result of implemented dot1x except of ports that keep staying in unauthorized state because of lack dot1x authentication server.
Still read nothing about GNS3, once again how we can practise it in GNS3?
I installed Free Radius 1.1.3 on LiSA (Linux Multilayer Switch) Qemu image and configured it for user authentication. I also configured EAP-MD5 dot1x authentication on Radius/LiSA image.
I installed wpa_supplicant on Linux Microcore 2.11-5 as dot1x client and configured it with EAP-MD5 authentication method.
Now you can practice AAA authentication and dot1x port-based authentication for CCNP SWITCH exam in GNS3 and see a real impact of this Layer 2 security on to emulated network infrastructure..