- last edited on by
Anusha_Vemula
Hello everyone,
In this article, I will explain how to use external CA provided certificates for Wired 802.1x authentication with Cloudpath ES.
Below devices used for testing the behavior.
- Cloudpath On Prem.
- Cloudpath Hosted.
- ICX 7250 Switch firmware(SPS08095d.bin)
- ICX 7450 Switch firmware(SPS08090k.bin)
- ICX 7450 Router firmware(SPR08090k.bin)
- Windows 10 Client.
Contents
- Cloudpath end Setup
- Switch end Setup
- Client end Setup (Windows)
Cloudpath end Setup (This is the most important part of configuration, without this config Cloudpath will not accept external CA authentication)
Certificate Authority
Certificate Authority>>> Manage Templates>>>Add Certificate Template
>>>Select Use a Custom external Certificate Authority and click Next
>>>Fill/Check in the information marked in yellow and click Save.
- Name: External CA (in the below example).
- CA URL: Not required as exact ().
- CA Chain: Copy Root CA chain of External CA and paste.
Configuration Workflow (This is only required to map the external certificate template created in the above step, not required as exact)
Configuration>>> Workflows>>>Add Workflows
>>>Fill in the details and click Save
- Display Name: Name of workflow
>>>External CA should be mapped in the workflow and published.(Important)
Switch end Setup
>>>Switch with below configuration will be enough for 802.1x authentication flow.(example as below)
Text in bold are variables
ICX7450-48P(config)#vlan XX
ICX7450-48P(config)#aaa authentication dot1x default radius
ICX7450-48P(config)#radius-server host 10.177.X.X auth-port 1812 acct-port 1813 default key 2 sdklhfsdh dot1x
ICX7450-48P(config)#authentication
ICX7450-48P(config-authen)#auth-default-vlan XX
ICX7450-48P(config-authen)#re-authentication
ICX7450-48P(config-authen)#dot1x enable
ICX7450-48P(config-authen)#dot1x enable ethe 1/1/1
ICX7450-48P(config-authen)#dot1x port-control auto ethe 1/1/1
Client end Setup (This can be achieved with Group Policy from AD, here we are doing for single client), Group policy setup not covered here.
NOTE: It is considered that Certificate provided by External CA is already installed in the computer/user under Personal and Trusted Root, as shown below.
Personal Certificate
Trusted Root CA
Open Run from Windows Client Machine.
>>>Search for services.msc
>>>In the services Search for Wired.conf and click on Start the service.
>>>Once service is started, in RUN type ncpa.cpl
>>>Select Ethernet interface , right click and select Properties
>>>Select Ethernet properties , click on Authentication.
Select the details as below
- Enable IEEE 802.1x authentication
- Choose a network Authentication Method: Microsoft Smart Card and other Certificate
>>>Click on Setting(above image)
Select the details as below
- Use a certificate on this computer(Select)
- Verify the server's identity by validating the certificate(Check)
- Trusted Root Certificate Authority: Select the Root CA from the list (Example : WIN2k16-CA-1 in below example)
>>>Click on Advanced Settings(above image)
Select the details as below
- Specify Authentication Mode(Check)
- User or Computer Authentication
