NEC Corporation of America. Design Guide for Port Based Network Access Control (NAC)/802.1x and OpenFlow Network Integration. Version 3.



Similar documents
How to Configure a BYOD Environment with the Unified AP in Standalone Mode

CT5760 Controller and Catalyst 3850 Switch Configuration Example

Deploying the BIG-IP System v11 with RADIUS Servers

Configuring RADIUS Servers

Network Security Solutions Implementing Network Access Control (NAC)

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

TotalCloud Phone System

Install Guide for JunosV Wireless LAN Controller

How To Set Up An Ipa 1X For Aaa On A Ipa 2.1X On A Network With Aaa (Ipa) On A Computer Or Ipa (Ipo) On An Ipo 2.0.1

AGLARBRI PROJECT AFRICAN GREAT LAKES RURAL BROADBAND RESEARCH INFRASTRUCTURE. RADIUS installation and configuration

Dynamic VLAN assignment using RADIUS. Network Diagram

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

APPLICATION NOTE. Copyright 2011, Juniper Networks, Inc. 1

Allied Telesis Solutions. Tested Solution: LAN Client Authentication. LAN Client Authentication. Introduction. Public/Private Zone x600

LAN Client Authentication

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Configuring Wired 802.1x Authentication on Windows Server 2012

WiNG 4.X / WiNG 5.X RADIUS Attributes

Application Note User Groups

On-boarding and Provisioning with Cisco Identity Services Engine

Integration with IP Phones

FreeRADIUS server. Defining clients Access Points and RADIUS servers

Chapter 5 - Basic Authentication Methods

Network Detector Setup and Configuration

ClearPass Policy manager Cisco Switch Setup with CPPM. Technical Note

Configuring iscsi Multipath

RADIUS. - make life easier. by Daniel Starnowski

Case Study - Configuration between NXC2500 and LDAP Server

UNDERSTANDING IDENTITY-BASED NETWORKING SERVICES AUTHENTICATION AND POLICY ENFORCEMENT

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

Active Fabric Manager (AFM) Plug-in for VMware vcenter Virtual Distributed Switch (VDS) CLI Guide

Belnet Networking Conference 2013

What is VLAN Routing?

VLANs. Application Note

Geschreven door Administrator woensdag 13 februari :37 - Laatst aangepast woensdag 13 februari :05

A practical guide to Eduroam

Configuring DHCP Snooping

Mobility System Software Quick Start Guide

Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication

Nutanix Hyperconverged Appliance with the Brocade VDX ToR Switch Deployment Guide

Configuring Cisco 802.1x Multi-domain Authentication (MDA) on a Cisco Catalyst 3750, with Avaya 96xx and 46xx Series IP Telephones - Issue 1.

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

Interoperability between Avaya IP phones and ProCurve switches

PF6800 Ver. 6.0 Troubleshooting Guide

How to Create VLANs Within a Virtual Switch in VMware ESXi

TotalCloud Phone System

Web Authentication Application Note

x900 Switch Access Requestor

FreeRADIUS Install and Configuration. Joel Jaeggli 05/04/2006

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Tested Solution: Protecting your network with Symantec Network Access Control (NAC) and Allied Telesis Switches

netld External Authentication Setup Guide

How to Configure an Initial Installation of the VMware ESXi Hypervisor

APPLICATION NOTE No

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Management Authentication using Windows IAS as a Radius Server

Switch Configuration Required to Support Cisco ISE Functions

Configure WorkGroup Bridge on the WAP131 Access Point

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

NEC contribution to OpenDaylight: Virtual Tenant Network (VTN)

AlliedWare Plus OS How To Configure a VoIP Phone System with PoE/PoE+

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Ruckus Wireless ZoneDirector Command Line Interface

TrustSec How-To Guide: On-boarding and Provisioning

MAC Authentication Bypass

freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011

Abstract. Avaya Solution & Interoperability Test Lab

Cisco ISE Command-Line Interface

Configuring User Authentication

Configuring the Device for Access Point Discovery

Cisco 7940 How To. (c) Bicom Systems

Configuring System Message Logging

Switch Quick Configuration CLI Guide for

The 802.1x specification

The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).

802.1X AUTHENTICATION IN ACKSYS BRIDGES AND ACCESS POINTS

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

Windows Server 2012 Hyper-V Virtual Switch Extension Software UNIVERGE PF1000 Overview. IT Network Global Solutions Division UNIVERGE Support Center

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

Unified Access Point Administrator's Guide

Cisco TrustSec 3.0 How-To Guide: Introduction to MACSec and NDAC

Wireless Technology Seminar

Introduction to MPIO, MCS, Trunking, and LACP

What information will you find in this document?

Network Access Security It's Broke, Now What? June 15, 2010

Lab Configuring LEAP/EAP using Local RADIUS Authentication

Lab Configure Syslog on AP

RADIUS Server Load Balancing

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Cisco TrustSec How-To Guide: Guest Services

HP Intelligent Management Center User Access Management Software

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

APPENDIX 3 LOT 3: WIRELESS NETWORK

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

DIGIPASS Authentication for Cisco ASA 5500 Series

Transcription:

NEC Corporation of America Design Guide for Port Based Network Access Control (NAC)/802.1x and OpenFlow Network Integration Version 3.0

Table of Contents 1. Introduction Error Bookmark not defined. 1.1 Purpose Error Bookmark not defined. 1.2 Overview Error Bookmark not defined. 2. Use Cases for Wired Users and Wireless Users 3 2.1 Demo Environment 3 2.2 Wired users Error Bookmark not defined. 2.3 Wireless users Error Bookmark not defined. 3. Configuration Examples 3 3.1 Dell PoE 802.1x enabled Switch 3 3.2 Radius Server to use FreeRadius Server 4 4. OpenFlow Switches and ProgrammableFlow Controller 7 4.1 OFS versions 7 4.2 OFS types 7 4.2.1 Edge OFS: 7 4.2.2 Core OFS: 8 4.3 PFC Configuration Example 8 5. Glossary 11 Revision History 11 NEC Corporation of America, 2015 Page 2 of 11

1. Use Cases for Wired Users and Wireless Users 1.1 Demo Environment The following servers and switches are used to build the demo for both use cases as a reference. Switch/Server Hardware OS Software Version ProgrammableFlow Controller PFC V6.0 NEC Express5800/R120b-2 CPU: Intel(R) Xeon(R) CPU X5690 Memory: 24GB HDD: 300GB, 10000rpm, (RAID-1) NIC: 1000Base-T x 6 Power: AC100V/200V±10%, Redundant power supply FAN: Redundant fan Optical drive for DVD-RAM Red Hat Enterprise Linux 6.4 (x86_64) Kernel version: kernel- 2.6.32-358.23.2.el6.x86_64 RADIUS Server ESXi VM CentOS 6.4 FreeRADIUS running version 2.1.12 DHCP Server ESXi VM CentOS 6.4 Wireless LAN Controller ESXi VM Meru WLC MC4200V sdn-1.0.0-15 802.1x Switch Dell PowerConnect5524P Firmware 4.1.0.12 PF5240 Switch PF5240R-48T4XW-AX OS-F3PA Ver. V5.0.0.1 PF5820 Switch NEC PF5820 Software Version 7.6.4.1 Management/Secure Channel Switch Cisco 2960S IOS 12.2(55)SE7 2. Configuration Examples 2.1 Dell PoE 802.1x enabled Switch vlan 2,11-20,55,200-210,4000 radius-server host 192.168.2.46 usage dot1.x radius-server key testing123 logging host 192.168.2.243 severity debugging aaa authentication dot1x default radius interface vlan 2 ip address 192.168.2.164 255.255.255.0 <---------- Dell Switch Mgmt interface vlan 4000 ip address 192.168.40.55 255.255.255.0 interface gigabitethernet1/0/2 <-----------Radius Server switchport access vlan 2 interface gigabitethernet1/0/3 <----In this demo,vlan 12 will be assigned after authentication dot1x host-mode multi-sessions dot1x reauthentication dot1x radius-attributes vlan dot1x port-control auto NEC Corporation of America, 2015 Page 3 of 11

interface gigabitethernet1/0/4 <--------- Uplink to PFS (MCLAG) switchport mode trunk switchport trunk allowed vlan remove 1-2,11,4000 interface gigabitethernet1/0/5 <--------- Uplink to PFS (MCLAG) switchport mode trunk switchport trunk allowed vlan remove 1-2,11,4000 interface gigabitethernet1/0/6 <---- In this demo,vlan 13 will be assigned after authentication dot1x host-mode multi-sessions dot1x reauthentication dot1x radius-attributes vlan dot1x port-control auto interface gigabitethernet1/0/7 <-----------Meru AP switchport access vlan 2 interface gigabitethernet1/0/8 <---------------Meru WLC switchport mode trunk switchport access vlan none switchport trunk native vlan 2 switchport trunk allowed vlan remove 1,11-20,4000 interface gigabitethernet1/0/24 <--------- Uplink to management network switchport access vlan 2 2.2 Radius Server to use FreeRadius Server Details http://freeradius.org/doc/ Tips for CentOS (Warning: You should read the manual to get more detail configuration info. The following is just tips to help you get you started the server) FreeRadius Server Installation: yum install freeradius freeradius-mysql freeradius-utils mysql-server -y mysql setup service mysqld start chkconfig --levels 235 mysqld on /usr/bin/mysql_secure_installation mysql -uroot -p CREATE DATABASE radius; GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY " YourPASSWORD "; flush privileges; mysql> use radius; SOURCE /etc/raddb/sql/mysql/schema.sql SOURCE /etc/raddb/sql/mysql/admin.sql SOURCE /etc/raddb/sql/mysql/nas.sql NEC Corporation of America, 2015 Page 4 of 11

mysql> INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1,'test','User-Password',':=','test'); Now open up CentOS:/etc/raddb/sql.conf and enter your mysql database details you just created, Example: # Connection info: server = "localhost" #port = 3306 login = "radius" password = "YourPASSWORD" # Database table configuration for everything except Oracle radius_db = "radius" In /etc/raddb/radiusd.conf ensure that the line saying: $INCLUDE sql.conf is uncommented. FreeRadius server configuration to enable, EAP and PEAP /etc/raddb/eap.conf eap{ use_tunneled_reply = yes peap { copy_request_to_tunnel = yes use_tunneled_reply = yes Open up /etc/raddb/clients.conf set your secret to something a bit more random, example: Change: secret = yoursecret Debug mode of Radius server command: radiusd X /etc/raddb/users to manage user credentials and VLAN info, one option to test quickly. Using DB tables is recommendable for production level setup. /etc/raddb/authorized_macs to manage MAC addresses of each user: add new MACs for end stations to come in to the network. The following scenario is from wireless use case when wireless end station uses PEAP and MS-CHAPv2 with lee user name and 60-67-20-47-D2-A0 MAC address. Password is hidden from debugging messages. /etc/raddb/users has user credentials and VLAN info. An example of debugging messages from Radius Server with the request from 802.1x switch which authentication request comes from end stations: NEC Corporation of America, 2015 Page 5 of 11

rad_recv: Access-Request packet from host 192.168.2.254 port 65412, id=10, length=196 <- 192.168.2.254is 802.1x switch IP User-Name = "lee" <- User Name NAS-IP-Address = 192.168.2.254 NAS-Port = 0 Called-Station-Id = "80-EA-96-F1-66-81:8021x" Calling-Station-Id = "60-67-20-47-D2-A0" <- 802.1x s client, supplicant s MAC address Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02f1002b19001703010020a941fee3dfc1e8bc55c8f52a359c7f0db0271abb69d40f92c03f4e50a30e4139 State = 0x8996e0de8067f944f83f6147926a9247 Message-Authenticator = 0x009d9012199ddfbce7c61491f29fba2a Sending Access-Accept of id 10 to 192.168.2.254 port 65412 <- Response to 802.1x switch Reply-Message = "Device with MAC Address 60-67-20-47-d2-a0 authorized for network access" <- Authorized calling station Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" <- VLAN ID set in Radius Server for the specific user, lee User-Name = "lee" <- lee User Name got authenticated MS-MPPE-Recv-Key = 0x6874f146e6fdf017b39f4975a31943dfa85d14db137ee592f1c3410ca32921de MS-MPPE-Send-Key = 0x6fb8154bdf06f911cca4883e82003e8d8ce6649224bfd5d1263d72702d4fbc11 EAP-Message = 0x03f10004 Message-Authenticator = 0x00000000000000000000000000000000 NEC Corporation of America, 2015 Page 6 of 11

3. OpenFlow Switches and ProgrammableFlow Controller An Openflow switch is a software program or a hardware that forwards packets based on the flow rules defined by an Openflow Controller. The configuration is based on Figure 2 and Figure 7 to illustrate physical topology. 3.1 OFS versions 1. Openflow version 1.0 2. Openflow version 1.3 The demo was built based on OF1.3. OF version doesn t matter for this demo. The example is a just reference. PFC example config for OF1.3 network-default { openflow-version 1.3 PF5240 openflow openflow-id 1 protocol-version 04 3.2 OFS types The demo shows to enable VLAN auto configuration so that PFC automatically sets VLANS into switches to avoid VLAN configuration mistakes on each switch. Currently VLAN auto configuration from PFC works only on NEC PF524x switches. 1. Edge OFS 2. Core OFS 3.2.1 Edge OFS: Edge OFS are used to connect hosts/vms/non-openflow devices. This demo used PF5240. PF5240 SW1 interface gigabitethernet 0/15 description "Uplink from 0/4 of Dell" initial-inactive switchport mode trunk openflow-table-resource mode 14 openflow openflow-id 1 protocol-version 04 controller controller-name pfcserver1 2 192.168.41.10 dpid 0000000000000001 table normal1 priority 24000 table expanded priority 23999 openflow-interface gigabitethernet 0/1-40, gigabitethernet 0/43-48, tengigabitethernet 0/49-52 emergency-mode disable mac-learning disable enable PF5240 SW2 interface gigabitethernet 0/15 description "Uplink from 0/5 of Dell" initial-inactive switchport mode trunk openflow openflow-id 1 NEC Corporation of America, 2015 Page 7 of 11

protocol-version 04 controller controller-name pfcserver1 2 192.168.41.10 dpid 0000000000000002 table normal1 priority 24000 table expanded priority 23999 openflow-interface gigabitethernet 0/1-40, gigabitethernet 0/43-48, tengigabitethernet 0/49-52 emergency-mode disable mac-learning disable enable 3.2.2 Core OFS: Core switches are connected to other edge OFS only and not to any non-openflow devices. This demo used PF5820. Core VLAN 4009 should be set manually on PF5820, but 4009 was set automatically on Edge OFS. interface port 59 no learning switchport access vlan 4009 flood-blocking exit interface port 60 no learning switchport access vlan 4009 flood-blocking exit To enable VLAN auto configuration on PFC side: real-network { vlan-connect enable vlan-auto-configuration enable 3.3 PFC Configuration Example The following is the example of PFC configuration of wired scenario with DHCP Server being in OpenFlow network. PFC works as a DHCP relay agent in this example as shown in Figure 3 and Figure 1. real-network { flow-entry-list dhcp { sequence-number 10 { mac-destination-address 0100.0000.0000 wildcard feff.ffff.ffff mac-ether-type 0x800 ip-protocol 17 l4-destination-port 67 l4-source-port 68 vtn 8021xDemoVTN { vbridge vbr0013 { vlan-map vlan-id 13 <- end station will be dynamically detected by PFC when VLAN tagged packet (VLAN 13) comes into OpenFlow network initially interface if_vrt vbridge vbr0020 { NEC Corporation of America, 2015 Page 8 of 11

vlan-map vlan-id 4012 interface vbif00020 interface vbiftovrt vbridge vbr0033 { vlan-map vlan-id 33 interface if_s2 interface if_vrt vrouter vrt { interface if_vbr0013 { ip address 13.1.1.254/24 interface if_vbr0020 { ip address 40.1.1.254/24 interface if_vbr0033 { ip address 33.1.1.254/24 dhcp-relay server 40.1.1.40 dhcp-relay interface if_vbr0013 dhcp-relay interface if_vbr0020 dhcp-relay enable vexternal DHCPserver { ofs-map ofs-datapath-id 0000-0000-0000-0002 ofs-port GBE0/13 vlan-id 4012 tagged interface veif vexternal Server2 { ofs-map ofs-datapath-id 0000-0000-0000-0002 ofs-port GBE0/13 vlan-id 33 tagged interface veif vlink vl_vbr001_vrt_000031 { vtn link vbridge vbr0013 interface if_vrt vtnnode vrt interface if_vbr0013 vlink vl_vbr002_dhcpserv_000028 { vtn link vbridge vbr0020 interface vbif00020 vtnnode DHCPserver interface veif vlink vl_vbr002_server2_000025 { vtn link vbridge vbr0033 interface if_s2 vtnnode Server2 interface veif vlink vl_vbr002_vrt_000029 { vtn link vbridge vbr0033 interface if_vrt vtnnode vrt interface if_vbr0033 vlink vl_vbr002_vrt_000030 { vtn link vbridge vbr0020 interface vbiftovrt vtnnode vrt interface if_vbr0020 NEC Corporation of America, 2015 Page 9 of 11

The following is the example of PFC configuration of wireless scenario with DHCP Server being in traditional network. WLC works as a DHCP server in this example as shown in Figure 8 and Figure 9. vtn WirelessVTN { vbridge vb14 { vlan-map vlan-id 14 <- end station will be dynamically detected by PFC when VLAN tagged packets (VLAN 14) comes into OpenFlow network initially interface vbifrouter14 vbridge vb44 { vlan-map vlan-id 44 interface vbif44 interface vbrouter44 vrouter vr { interface vrif14 { ip address 14.1.1.254/24 interface vrif44 { ip address 44.1.1.254/24 vexternal ve44 { ofs-map ofs-datapath-id 0000-0000-0000-0002 ofs-port GBE0/13 vlan-id 44 tagged interface veif vlink vl_vb14_vr_000033 { vtn link vbridge vb14 interface vbifrouter14 vtnnode vr interface vrif14 vlink vl_vb44_ve44_000032 { vtn link vbridge vb44 interface vbif44 vtnnode ve44 interface veif vlink vl_vb44_vr_000034 { vtn link vbridge vb44 interface vbrouter44 vtnnode vr interface vrif44 Warning: To make PFC configuration clear on each VTN in this demo, MCLAG setting on PFC is omitted. 3.4 802.1x Supplicant Configuration Example on Windows and Linux Clients 3.4.1 Windows for wired and wireless http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1tc=windows-7 3.4.2 Linux CentOS or RedHat https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec- Configuring_Connection_Settings.html NEC Corporation of America, 2015 Page 10 of 11

4. Glossary PFC NEC PF6800 ProgrammableFlow Controller PFS NEC PF524x/PF5820 ProgrammableFlow Switch NAC Network Access Control PEAP Protected Extensible Authentication Protocol RADIUS Remote Authentication Dial In User Service WLC Wireless LAN Controller AP Access Point OFS OpenFlow Switch Revision History Revision Date Author Note 1 1/22,2015 Jenny Initial version Oshima 2 2/3, 2015 Jenny Oshima Added wired/wireless user scenarios, configuration examples, supplicant configuration NEC Corporation of America, 2015 Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information