04-28-2021 03:19 PM
Hi,
Does anyone have a good reference on configuring 802.1x for both WiFi and port security (on ICX 7150)? Using Ruckus Cloud, it looks pretty simple to add the RADIUS server and get authentication going for a SSID, but I am pretty sure there is more to it than just that :). And reading through the FastIron Security Config Guide, it looks like physical port security can get pretty complicated...
We are looking to use Windows server with the NPS role as a RADIUS server.
Looking to keep it simple to start - but any references / resources or tips would be greatly appreciated!
Cheers,
~D
Solved! Go to Solution.
04-30-2021 07:06 PM
David:
We run many hundreds of these switches in production with 802.1x, data VLANS, Voice VLANS, Wireless VLANS, etc.
Here is a typical config. I am still actually tweaking it to do TACACS, fall back to RADIUS, then Local, but it is more or less our working Layer-2 ICX config, and it has full 802.1x support, which is working flawlessly in production with ISE. I have not tested this with ClearPass, but if the polices are correct, I am certain it would work.
ver 08.0.90kT211
!
stack unit 1
module 1 icx7150-c12-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-2-sfp-plus-port-20g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
no untagged ethe 1/1/1 to 1/1/12
!
vlan 250 name PCI-Compliance by port
tagged ethe 1/2/1
!
vlan 123 name Data by port
untagged ethe 1/2/1 to 1/2/2
!
vlan 301 name Voice by port
tagged ethe 1/1/1 to 1/1/12 ethe 1/2/1 to 1/2/2
!
vlan 400 name Aruba-Mgmt by port
tagged ethe 1/2/1
!
vlan 401 name AnSSID by port
tagged ethe 1/2/1
!
!
!
!
!
!
!
!
!
!
authentication
auth-default-vlan 123
re-authentication
dot1x enable
dot1x enable ethe 1/1/1 to 1/1/12
dot1x port-control auto ethe 1/1/1 to 1/1/12
mac-authentication enable
mac-authentication enable ethe 1/1/1 to 1/1/12
!
!
aaa authentication web-server default tacacs+ local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default tacacs+ local
aaa authentication login privilege-mode
aaa authorization coa enable
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
console timeout 30
enable aaa console
enable acl-per-port-per-vlan
hostname TEST
ip address 10.1.126.11 255.255.248.0
ip dns domain-list XXXX.xx.gov
ip dns server-address 10.1.123.50 10.1.123.51
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.124.1
!
logging host 10.1.132.250
logging console
logging persistence
no telnet server
username XXXXwan password .....
!
!
radius-server host 172.31.112.52 auth-port 1812 acct-port 1813 default key 2 $YT1nb2LEK5VVlp8OA== dot1x mac-auth
tacacs-server host 172.31.112.52
tacacs-server key 2 $YT1nb25VVKRClp8OA==
cdp run
fdp run
snmp-server contact Network Security Operations
snmp-server host 10.1.123.250 version v3 priv XXXXwan
snmp-server group XXXXv3 v3 priv access 99 read all write all
snmp-server user XXXXwan XXXXv3 v3 access 99 encrypted auth sha badb61e7ebc559c61e2ab1c6a8403cecb3ded8da priv encrypted aes badb61e7ebc559c61e2a61c6a8403cec
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
server 10.123.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^
------------------------------------------------------------------------
^
ICX Test Switch
^
This system is solely for the use of authorized XXXX personnel.
The information contained herein is the property of XXXX and subject to
non-disclosure, security, and confidentiality requirements.
XXXX will monitor system usage for unauthorized activities.
Any user accessing this system expressly consents to such monitoring.
^
Asset NO-TAG
^
------------------------------------------------------------------------
^
!
ssh access-group 99
!
!
sz registrar
!
!
interface ethernet 1/1/1
trust dscp
!
interface ethernet 1/1/2
trust dscp
!
interface ethernet 1/1/3
trust dscp
!
interface ethernet 1/1/4
trust dscp
!
interface ethernet 1/1/5
trust dscp
!
interface ethernet 1/1/6
trust dscp
!
interface ethernet 1/1/7
trust dscp
!
interface ethernet 1/1/8
trust dscp
!
interface ethernet 1/1/9
trust dscp
!
interface ethernet 1/1/10
trust dscp
!
interface ethernet 1/1/11
trust dscp
!
interface ethernet 1/1/12
trust dscp
!
interface ethernet 1/2/1
trust dscp
!
interface ethernet 1/2/2
trust dscp
!
interface ethernet 1/3/1
speed-duplex 1000-full
!
interface ethernet 1/3/2
speed-duplex 1000-full
!
!
!
ip access-list standard 99
sequence 10 permit host 10.1.10.190
sequence 20 permit host 10.1.10.191
sequence 30 permit host 10.1.120.250
sequence 40 permit host 10.1.123.2
sequence 50 permit host 10.1.123.3
sequence 60 permit host 10.1.123.4
sequence 70 permit host 10.1.123.5
sequence 80 permit host 10.1.123.6
sequence 90 permit 10.1.15.0 0.0.0.255
sequence 100 permit 192.168.56.0 0.0.7.255
!
!
!
lldp med network-policy application voice tagged vlan 301 priority 5 dscp 46 ports ethe 1/1/1 to 1/1/12
!
!
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc
!
!
!
!
!
end
04-29-2021 04:57 AM
Hello David,
Having Dotx security in the access ports of your ICX7150, can be done by following these steps:
1. state the RADIUS server IP address, ports, and authentication type (dot1x, macauth, webauth)
2. enter the authentication configuration mode and
2.1. enable dot1x for specific ports
2.2. set basic authentication parameters like authentication default VLAN, restricted VLAN (if used), re-authentication timers, etc.
3. enable aaa authentication for dot1x through RADIUS
!
aaa authentication dot1x default radius
Those should be the most simple steps to have it up and running.
We can always go deeper if we wanted 🙂
Please let me know if it leaves you with some concerns.
--
Orlando Elias
Ruckus TAC
04-29-2021 11:27 AM
Hi David,
Hope you are doing great.
We do not have any other official guides. If you look through the authentication section you will see examples as well.
Hope this helps.
Thanks
Hashim
04-30-2021 07:06 PM
David:
We run many hundreds of these switches in production with 802.1x, data VLANS, Voice VLANS, Wireless VLANS, etc.
Here is a typical config. I am still actually tweaking it to do TACACS, fall back to RADIUS, then Local, but it is more or less our working Layer-2 ICX config, and it has full 802.1x support, which is working flawlessly in production with ISE. I have not tested this with ClearPass, but if the polices are correct, I am certain it would work.
ver 08.0.90kT211
!
stack unit 1
module 1 icx7150-c12-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-2-sfp-plus-port-20g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
no untagged ethe 1/1/1 to 1/1/12
!
vlan 250 name PCI-Compliance by port
tagged ethe 1/2/1
!
vlan 123 name Data by port
untagged ethe 1/2/1 to 1/2/2
!
vlan 301 name Voice by port
tagged ethe 1/1/1 to 1/1/12 ethe 1/2/1 to 1/2/2
!
vlan 400 name Aruba-Mgmt by port
tagged ethe 1/2/1
!
vlan 401 name AnSSID by port
tagged ethe 1/2/1
!
!
!
!
!
!
!
!
!
!
authentication
auth-default-vlan 123
re-authentication
dot1x enable
dot1x enable ethe 1/1/1 to 1/1/12
dot1x port-control auto ethe 1/1/1 to 1/1/12
mac-authentication enable
mac-authentication enable ethe 1/1/1 to 1/1/12
!
!
aaa authentication web-server default tacacs+ local
aaa authentication enable default local
aaa authentication dot1x default radius
aaa authentication login default tacacs+ local
aaa authentication login privilege-mode
aaa authorization coa enable
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
console timeout 30
enable aaa console
enable acl-per-port-per-vlan
hostname TEST
ip address 10.1.126.11 255.255.248.0
ip dns domain-list XXXX.xx.gov
ip dns server-address 10.1.123.50 10.1.123.51
no ip dhcp-client auto-update enable
no ip dhcp-client enable
ip default-gateway 10.1.124.1
!
logging host 10.1.132.250
logging console
logging persistence
no telnet server
username XXXXwan password .....
!
!
radius-server host 172.31.112.52 auth-port 1812 acct-port 1813 default key 2 $YT1nb2LEK5VVlp8OA== dot1x mac-auth
tacacs-server host 172.31.112.52
tacacs-server key 2 $YT1nb25VVKRClp8OA==
cdp run
fdp run
snmp-server contact Network Security Operations
snmp-server host 10.1.123.250 version v3 priv XXXXwan
snmp-server group XXXXv3 v3 priv access 99 read all write all
snmp-server user XXXXwan XXXXv3 v3 access 99 encrypted auth sha badb61e7ebc559c61e2ab1c6a8403cecb3ded8da priv encrypted aes badb61e7ebc559c61e2a61c6a8403cec
!
!
clock summer-time
clock timezone us Eastern
!
!
ntp
server 10.123.1.1
!
!
web access-group 99
no web-management http
web-management https
banner motd ^
------------------------------------------------------------------------
^
ICX Test Switch
^
This system is solely for the use of authorized XXXX personnel.
The information contained herein is the property of XXXX and subject to
non-disclosure, security, and confidentiality requirements.
XXXX will monitor system usage for unauthorized activities.
Any user accessing this system expressly consents to such monitoring.
^
Asset NO-TAG
^
------------------------------------------------------------------------
^
!
ssh access-group 99
!
!
sz registrar
!
!
interface ethernet 1/1/1
trust dscp
!
interface ethernet 1/1/2
trust dscp
!
interface ethernet 1/1/3
trust dscp
!
interface ethernet 1/1/4
trust dscp
!
interface ethernet 1/1/5
trust dscp
!
interface ethernet 1/1/6
trust dscp
!
interface ethernet 1/1/7
trust dscp
!
interface ethernet 1/1/8
trust dscp
!
interface ethernet 1/1/9
trust dscp
!
interface ethernet 1/1/10
trust dscp
!
interface ethernet 1/1/11
trust dscp
!
interface ethernet 1/1/12
trust dscp
!
interface ethernet 1/2/1
trust dscp
!
interface ethernet 1/2/2
trust dscp
!
interface ethernet 1/3/1
speed-duplex 1000-full
!
interface ethernet 1/3/2
speed-duplex 1000-full
!
!
!
ip access-list standard 99
sequence 10 permit host 10.1.10.190
sequence 20 permit host 10.1.10.191
sequence 30 permit host 10.1.120.250
sequence 40 permit host 10.1.123.2
sequence 50 permit host 10.1.123.3
sequence 60 permit host 10.1.123.4
sequence 70 permit host 10.1.123.5
sequence 80 permit host 10.1.123.6
sequence 90 permit 10.1.15.0 0.0.0.255
sequence 100 permit 192.168.56.0 0.0.7.255
!
!
!
lldp med network-policy application voice tagged vlan 301 priority 5 dscp 46 ports ethe 1/1/1 to 1/1/12
!
!
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc
!
!
!
!
!
end
05-03-2021 09:19 AM
Thanks for sharing. This is helpful to see.
I am thinking that these configs on the ICX switches are different (so to speak) than when setting up the same for an SSID, and that there is much more to learn on building the policy configs on the RADIUS server 🙂