Showing posts with label Radius. Show all posts
Showing posts with label Radius. Show all posts

Wednesday, 3 March 2010

Wired 802.1x Port Authentication with Certificate Auto Enrolment

As we all know compliance is one of the biggest issues facing companies at the moment leading some IT departments to take a look at 802.1x as a way of controlling and securing access to their wired networks.

The main reason for this post is there are a few articles out there that have mis-truths and incorrect facts within them, often due to them having not implemented the technologies themselves.

Here is the lab:




So here we go:
Part1
GNS Setup
VMware Workstation Setup
Domain Controller Setup

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part1 from Richard Vimeo on Vimeo.



Part 2
Certificate Service Setup
Certifcate Templates
Switch Setup
IAS/Radius install
Auto Enrolment

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part2 from Richard Vimeo on Vimeo.




Part 3
IAS Setup
Extra Switch Config
Flicking the Switch! (on the switch)
Testing
Event Log Messages

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part3 from Richard Vimeo on Vimeo.

Posted by at 3 comments:
Labels: , , , , , , , , ,

Thursday, 18 June 2009

Router to Cisco VPN Client

Fairly similar to the Router to Router, but it does have some key differences.


1) As we are using ACS we need to set that up:


aaa new-model
!
!
aaa authentication login USERAUTH group radius
aaa authorization network GROUPAUTH local
!
!
radius-server host 192.168.0.45 auth-port 1645 acct-port 1646 key cisco123


2) Define ISAKMP policy

crypto isakmp policy 110
encr 3des
authentication pre-share
group 2


3) Set up group configuration:

crypto isakmp client configuration group VPNGROUP
key letmeinvpngroup
dns 192.168.0.3
domain cisco.local
pool IPPOOL
acl SPLIT_TUNNEL


4) Define IPPOOL

ip local pool IPPOOL 10.8.0.2 10.8.0.20


5) Define SPLIT_TUNNEL

ip access-list extended SPLIT_TUNNEL
permit ip 192.168.15.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 16.0.0.0 3.255.255.255 10.8.0.0 0.0.0.255
permit ip 192.168.23.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.34.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip host 1.1.1.1 10.8.0.0 0.0.0.255
permit ip host 2.2.2.2 10.8.0.0 0.0.0.255
permit ip host 3.3.3.3 10.8.0.0 0.0.0.255
permit ip host 4.4.4.4 10.8.0.0 0.0.0.255


6)Set up Transform Set:

crypto ipsec transform-set USER_TRANSFORM esp-3des esp-sha-hmac


7)Set up Dynamic Map:

crypto dynamic-map DYNAMAP 10
set transform-set USER_TRANSFORM


8) Bring it all together with a Crypto Map:

crypto map CLIENTMAP client authentication list USERAUTH
crypto map CLIENTMAP isakmp authorization list GROUPAUTH
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMAP


9) Finally Apply it to the interface:

interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CLIENTMAP


10) Set up VPN client:
Group name is from this line above:
crypto isakmp client configuration group VPNGROUP
and the password is from this line:
key letmeinvpngroup



11) Set up ACS:


12) Adding a user to ACS is too easy for a picture, you will have to work that one out yourself :)
Posted by at 4 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)