1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-11-26 19:27:57 +00:00

Merge branch 'feature/802.1x' into develop

This commit is contained in:
chhan11 2017-06-01 23:47:05 +02:00
parent 5c29ce5e9c
commit d362c3f440
3 changed files with 48 additions and 3 deletions

View file

@ -7,9 +7,11 @@
%\newacronym{}{}{} %\newacronym{}{}{}
%\newacronym{}{}{} %\newacronym{}{}{}
%\newacronym{}{}{} %\newacronym{}{}{}
\newacronym{ap}{AP}{Access Point}
\newacronym{arp}{ARP}{Address Resolution Protocol} \newacronym{arp}{ARP}{Address Resolution Protocol}
\newacronym{bgp}{BGP}{Border Gateway Protocol} \newacronym{bgp}{BGP}{Border Gateway Protocol}
\newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit} \newacronym{bpdu}{BPDU}{Bridge Protocol Data Unit}
\newacronym{cdp}{CDP}{Cisco Discovery Protocol}
\newacronym{cli}{CLI}{Command Line Interface} \newacronym{cli}{CLI}{Command Line Interface}
\newacronym{cst}{CST}{Common Spanning Tree} \newacronym{cst}{CST}{Common Spanning Tree}
\newacronym{cwdm}{CWDM}{} \newacronym{cwdm}{CWDM}{}
@ -17,7 +19,10 @@
\newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol} \newacronym{dhcp}{DHCP}{Dynamic Host Control Protocol}
\newacronym{dknog}{DKNOG}{Danish Network Operators' Group} \newacronym{dknog}{DKNOG}{Danish Network Operators' Group}
\newacronym{dns}{DNS}{Domain Name System} \newacronym{dns}{DNS}{Domain Name System}
\newacronym{dst}{DST}{Destination}
\newacronym{dwdm}{DWDM}{} \newacronym{dwdm}{DWDM}{}
\newacronym{eap}{EAP}{Extensible Authentication Protocol}
\newacronym{eapol}{EAPOL}{Extensible Authentication Protocol over Local Area Network}
\newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol} \newacronym{eigrp}{EIGRP}{Enhanced Interior Gateway Routing Protocol}
\newacronym{evpn}{EVPN}{Ethernet Virtual Private Network} \newacronym{evpn}{EVPN}{Ethernet Virtual Private Network}
\newacronym{ftp}{FTP}{File Transfer Protocol} \newacronym{ftp}{FTP}{File Transfer Protocol}
@ -40,6 +45,7 @@
\newacronym{mkc}{MKC}{Mikkel Krøll} \newacronym{mkc}{MKC}{Mikkel Krøll}
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
\newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{mst}{MST}{Multiple Spanning Tree}
\newacronym{ntp}{NTP}{Network Time Protocol}
\newacronym{osi}{OSI}{Open Systems Interconnection} \newacronym{osi}{OSI}{Open Systems Interconnection}
\newacronym{ospf}{OSPF}{Open Shortest Path First} \newacronym{ospf}{OSPF}{Open Shortest Path First}
\newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3} \newacronym{ospfv3}{OSPFV3}{Open Shortest Path First v3}
@ -51,12 +57,16 @@
\newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus} \newacronym{pvst+}{PVST+}{Per Vlan Spanning Tree Plus}
\newacronym{rfc}{RFC}{Request For Comments} \newacronym{rfc}{RFC}{Request For Comments}
\newacronym{rip}{RIP}{Routing Information Protocol} \newacronym{rip}{RIP}{Routing Information Protocol}
\newacronym{rspt}{RSTP}{Rapid Spanning Tree} \newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol}
\newacronym{rpvst+}{RPVST}{Rapid Per Vlan Spanning Tree} \newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree}
\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus}
\newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol} \newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol}
\newacronym{sla}{SLA}{Service Level Agreement}
\newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol} \newacronym{smtp}{SMTP}{Simpe Mail Transfer Protocol}
\newacronym{snmp}{SNMP}{Simple Network Management Protocol} \newacronym{snmp}{SNMP}{Simple Network Management Protocol}
\newacronym{sntp}{SNTP}{Secure Network Time Protocol}
\newacronym{sp}{SP}{Service Provider} \newacronym{sp}{SP}{Service Provider}
\newacronym{src}{SRC}{Source}
\newacronym{ssh}{SSH}{Secure Shell} \newacronym{ssh}{SSH}{Secure Shell}
\newacronym{stp}{STP}{Spanning Tree Protocol} \newacronym{stp}{STP}{Spanning Tree Protocol}
\newacronym{tcn}{TCN}{Topology Change Notification} \newacronym{tcn}{TCN}{Topology Change Notification}
@ -65,6 +75,7 @@
\newacronym{toc}{TOC}{Table Of Contents} \newacronym{toc}{TOC}{Table Of Contents}
\newacronym{udld}{UDLD}{Unidirectional Link Detection} \newacronym{udld}{UDLD}{Unidirectional Link Detection}
\newacronym{udp}{UDP}{User Datagram Protocol} \newacronym{udp}{UDP}{User Datagram Protocol}
\newacronym{utc}{UTC}{Coordinated Universal Time}
\newacronym{vlan}{VLAN}{Virtual Local Area Network} \newacronym{vlan}{VLAN}{Virtual Local Area Network}
\newacronym{vpn}{VPN}{Virtual Private Network} \newacronym{vpn}{VPN}{Virtual Private Network}
\newacronym{vtp}{VTP}{Virtual Trunking Protocol} \newacronym{vtp}{VTP}{Virtual Trunking Protocol}

View file

@ -130,3 +130,37 @@ tacacs-server unkn0wn!unicAst
\end{itemize} \end{itemize}
\fig{8021x/8021x}{8021x}{ID Management} \fig{8021x/8021x}{8021x}{ID Management}
Based upon the user connecting to the network. They can be given access to
\begin{itemize}
\item the resources their group/identity have been assigned or
\item put into a guest \gls{vlan} if nothing is assigned to them or
\item simply block the client/user altogether.
\end{itemize}
Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.
\begin{itemize}
\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
\item The \textbf{authentication server}
\end{itemize}
\fig{8021X/portauth}{portauth}{802.1X Port Auth}
802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.
\clearpage
\subsection*{Enable with Cisco config}
\begin{txt}
aaa new-model
radius server host radiusserver.example.com key .unkown!unicAst.
aaa group server radius RADIUS-SERVER-DK
server radiusserver.example.com
aaa authetication dot1x default group RADIUS-SERVER-DK
dot1x system-auth-control
interface GigabitEthernet 0/4
switchport mode access ! Port must be an access port prior
dot1x port-control auto ! to enable dot1x on the port
\end{txt}

BIN
img/8021X/portauth.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 211 KiB