Ps Pps 9.1r1 802.1X Auth Cisco Switch PDF
Ps Pps 9.1r1 802.1X Auth Cisco Switch PDF
Ps Pps 9.1r1 802.1X Auth Cisco Switch PDF
Configuration Guide
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All
other trademarks, service marks, registered trademarks, or registered service marks are the property of
their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
The information in this document is current as of the date on the title page.
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended
for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the
End User License Agreement (“EULA”) posted at www.pulsesecure.net. By downloading, installing or
using such software, you agree to the terms and conditions of that EULA.”
Figure: Overview
Configuration
The goal is to provide secure and role based access control using ACLs on Cisco Switch through PPS.
Figure 2: Realm
3. Under Rule Settings, select the rule type as Predefined Firewall and click Add.
4. Enter the rule name and specify the criteria for compliance and click Save Changes.
4. Select User Roles > <Full Access Role> > General > Restrictions > Host Checker. Add the Firewall
Policy restriction created earlier in Creating a Host Checker Policy for Full Access Role. Click Save
Changes.
5. Set Role Mapping rules. Select User Realms > Users > Role Mapping > New Rule
Once the role mapping roles are configured the following screen is displayed.
The following example shows RADIUS return attribute used to send the VLAN ID. In the below example,
VLAN 65 is sent for Full Access Role and VLAN 60 for Limited Access Role.
The following example shows the Cisco-AVPair radius attribute policy for Cisco Switches.
Note:
• When using VSAs there is no need to configure ACL/Firewall filters in the switches. These are
managed by PPS and access control entries (ACEs) will be applied on the switches after User
Authentication.
• VLAN change using CoA is not supported with Cisco Switches. It is recommended to use RADIUS
disconnect for VLAN change.
# Interface configuration.
interface GigabitEthernet1/0/7
switchport access vlan 60
switchport mode access
authentication periodic
authentication timer reauthenticate server
authentication event server dead action authorize
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast
end
# Specify the server group for authentication, authorization and accounting.
aaa authentication dot1x default group <group-name>
aaa authorization network default group <group-name>
aaa accounting dot1x default start-stop group <group-name>
# Configure the PPS as radius server.
radius server <PPS-Server-name>
address ipv4 <PPS-IP Address> auth-port 1812 acct-port 1813
key psecure
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server retransmit 1
# Create the server group which will be used for AAA.
# Add PPS as server in the server group.
aaa group server radius <group-name>
server name <PPS-Server-name>
# ACL configuration
ip access-list extended compliant
permit ip any any
ip access-list extended uncompliant
deny ip any host <Resource-IP-Address1>
deny ip any host <Resource-IP-Address2>
permit ip any any
You can verify the active users table to view the session details of the user. The user gets a limited
access role.
Verify the Switch for the applied Filter-Id. In the below example, Filter-Id applied is noncompliant.
Interface: GigabitEthernet1/0/13
IIF-ID: 0x19C91A80
MAC Address: 0050.56bf.554f
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: anonymous
Status: Authorized
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A190FCA0000029B7A2669E1
Acct Session ID: 0x0000000f
Handle: 0x6d00000f
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured
Server Policies:
Filter-ID: noncompliant
Method status list:
Method State
dot1x Authc Success
You can verify the active users table to view the session details of the user.
Interface: GigabitEthernet1/0/13
IIF-ID: 0x11BB48C9
MAC Address: 0050.56bf.554f
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: anonymous
Status: Authorized
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A190FCA0000029C7A2CAD96
Acct Session ID: 0x00000010
Handle: 0x1a000010
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecured
Server Policies:
Filter-ID: compliant
Method status list:
Method State
dot1x Authc Success
#show configuration
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname myswitch
boot-start-marker
boot-end-marker
enable password Cisco
username admin privilege 15 secret 5 $1$mUVx$5lNk8ibYzrj4fyRtVPhb91
aaa new-model
aaa group server radius radiusgroup
server name radiusserver
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group radiusgroup
aaa authorization network default group radiusgroup
aaa authorization auth-proxy default group radiusgroup
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting identity default start-stop broadcast group radiusgroup
aaa accounting network default start-stop group radiusgroup
aaa server radius dynamic-author
client 10.209.126.152 server-key 12345
port 3799
auth-type all
ignore session-key
ignore server-key
aaa session-id common
clock timezone IST 5 30
switch 1 provision ws-c2960x-24pd-l
ip dhcp snooping
ip domain-name pps.local
crypto pki trustpoint TP-self-signed-3051400704