Networking

Authenticate users on the network by configuring ACS 5.2 for a Cisco switch

Brandon Carroll walks you through the basic steps of configuring ACS 5.2 (Access Control System) for 802.1x authentication using EAP-MD5 to help you manage devices that can connect to your corporate network.

In my last post I covered how to configure a switch to support 802.1x so that you can authenticate users as they come onto the network. In this post I will cover the basics of configuring ACS 5.2 (Access Control System) for 802.1x authentication using EAP-MD5. For viewing the full-size screenshots, you may want to visit the companion gallery here. (Click on thumbnails below to enlarge.)

So to kick things off, you need to begin with adding the Switch to the ACS Server. Recall from the previous post the switch pointed to the ACS Server using a key of rad123. You need to ensure that ACS knows to use this as well.

To log in to the ACS server (I'm assuming its already running on the network) you can browse to the IP address or name of the server as seen below:

Figure A

Next navigate to Network Resources | Network Devices and AAA Clients.

Figure B

Select the Switch you are working with. In this case I'm working with Sw1. Since the switch is already added we just want to verify that we are using the correct shared secret key. This will shave off valuable time you could end up wasting with troubleshooting connectivity issues.

Figure C

Next we will add a user. To do this step you will browse to Users and Identity Stores | Internal Identity Stores |Users.

Once there click the Create button on the bottom and add your users. I've added a user with the name bcarroll.

Figure D

Now we need to create a device filter. Navigate to Policy Elements | Session Conditions | Network Conditions | Device Filters and click Create.

Figure E

You can see that I have given the filter a name and will now add the device name by selecting the Device Name tab and again clicking Create. This part can cause some issues. If you are not allowing pop-ups, it may appear that nothing happens. In my case, I had to switch from a Safari browser to a Firefox browser.

Once the pop-up appears (Figure F) you will see an empty form box to add the device to. You can't type in the box, rather you click the Select button and select the device from the list (Figure G).

Figure F

Figure G

Once your switch is selected you will click OK a few times until you get back to the main ACS page and the switch is reflected in the list.

Figure H

The next step is to create a few authorization profiles. This will be related to the departments you have such as HR or IT and so on. To do this, you'll need to browse to Policy Elements | Authorization and Permissions | Network Access | Authorization Profiles. Here I have created HR Vlan Profile, IT Vlan Profile, and Sales Vlan Profile.

Figure I

It's underneath these Authorization Profiles that you have a bit of work to do. I've provided an example with the HR Vlan profile; however, this needs to happen for all of them. I've defined a few attributes for HR, specifically:

  • Tunnel-Type
  • Tunnel-Medium-Type
  • Tunnel-Private-Group-ID

I've always remembered it this way: I'm assigning VLANs vlan 802.q and the ID for this one is 5. So HR is on Vlan 5.

Figure J

Next we create an Access Service. You will need to navigate to Access Policies | Access Services. I've done a User Selected Service Type of Network Access and left the default selections of Identity and Authorization. At the bottom of the page, click Next.

Figure K

This brings up the Allowed Protocols page. This is where you select the protocol you want to use, and as I stated at the onset, I am going to use EAP-MD5. Once you select your protocol, click Finish.

Figure L

You next should see a pop-up asking if you want to modify the Service Selection policy to activate the server. You want to answer Yes here. This will then take you to the rules page.

Figure M

On the rules page click Customize and add Device Filter to the right hand menu. If it's not there, you will not see it as a condition.

Figure N

And now when you add or modify Rule-1, you should see the conditions. An example of this is seen below.

Figure O

That's it! You're done on ACS.

Finally edit your Windows adapter to enable 802.1x authentication and select MD5 Challenge. You'll get a little balloon window to authenticate the next time you connect that host to the port configured for 802.1x.

Figure P

While this is a brief introduction you can find more information in "Chapter 8" of my new book AAA Identity Management Security published by Cisco Press.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

1 comments
tm2cent
tm2cent

I very much appreciate the guide and I am grateful. I am in networking and I just got a brand new ACS 5.2 and looking for more informations on how to authenticate using - 802.1x with CA and - ACS 5.2 for Network Device Access with RSA Token