Networking

Manage consumer products on the corporate network with 802.1x on a Cisco switch

CCIE Brandon Carroll shows you one way to deal with consumer products on your network -- by implementing 802.1x functionality on a Cisco switch as a means of authorizing devices.

Back in the early days of IT, it was outside the price range for people to bring their own equipment in from home and use it in the work environment. Cost wasn't the only prohibitive factor. Size had much to do with it. My first computer, which wasn't actually mine, was a TRS-80 from Radio Shack. We had them in the computer lab in 6th grade. There is no way I would have been able to carry that thing around, let alone the floppies that were required to run any type of program. In fact, there probably weren't too many people taking them to work and throwing them on the network back in those days.

Going back to my TRS-80, I used a Model 1 which had a 1.77 MHz processor. Compare that to what's available today and you can clearly see how things have shifted. My iPhone 4 clocks at 1 GHz and it's many times smaller and thus more portable than my TRS-80. Now I understand that the TRS-80 is not a good comparison to the iPhone 4, but let me get to the point. Because of the portability of consumer grade products, IT departments face a challenge that they have not faced before -- dealing with consumer products on the corporate network.

The problem

From a consumer point of view this isn't a problem. Mail, Calendar, Phone, Internet Search and more are in your pocket anywhere you go. It's efficiency Zen. I can't knock it because I feel the same way. But from the corporate point of view, things aren't so clear. Yes, today's network-enabled smart devices and ultra-portable laptops are wonderful but they cause the following problems:

  • Licensing issues with corporate used applications that the onsumer does not own.
  • Standardization of support procedures
  • Patching can't be maintained at a standard level
  • Security lines are blurred
  • Bandwidth costs money

The solution

There are many solutions that address these issues. I'm going to offer one of them. The solution, is 802.1x. It provides a means of authorizing devices on the network. It was initially designed for wired switches and has since found its way into wireless networks. You can configure 802.1x on a number of vendor switches since 802.1x is an IEEE standard. I'll briefly show you how to implement this functionality on a Cisco Switch. The configuration is fairly simple provided you have all the pieces.

Here's what you need:
  • A Client with software installed on it, which is called a supplicant.
  • An Authenticator, which is the role provided by the switch.
  • An Authentication Server. In Cisco world, this is the Cisco Access Control Server (ACS).

Configuration steps

Step 1: The supplicant

1. To configure the supplicant, assuming you are using Windows, you simply Open Network Connections and right-click the connection for which you want to enable or disable IEEE 802.1x authentication. Then, click Properties.

2. On the Authentication tab you can ensure that the box that says "Network access control using IEEE 802.1X" is selected by default.

3. Next, In EAP type, click the Extensible Authentication Protocol type to be used with this connection. To make an educated selection here, you must know how the Authentication Server is configured.

Step 2: The authenticator

Remember the authenticator is the switch, so here is a simple config you can use.

From the switch CLI enter Global Configuration Mode.

Switch#
Switch# configure terminal

Add a RADIUS Server to authenticate clients to:

Switch(config)# radius-server host 192.168.100.1 key rad123

Enable the AAA Process globally:

Switch(config)# aaa new-model

Enable authentication for dot1x using the radius server you already defined:

Switch(config)# aaa authentication dot1x default group radius

Access the interface and enable the port for 802.1x port control:

Switch(config)# interface fastethernet0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Step 3: Configure the authentication server.

There's actually a bit more work here than can be covered in one post. In the next post, I'll discuss how to configure a Cisco Secure ACS Server to support 802.1x authentication.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

0 comments

Editor's Picks