Chapter 1: Identity Management/Secure Access

Chapter 1: Identity Management/Secure Access

AAA Concepts

In the previous section, different techniques are explained to stop an attacker from getting unauthorized access to network infrastructure. Those users who are required to access networking devices for maintenance or for configuration also needs to have authorization as well as a proper audit trail so that the culprit will be identified at the hour of need.  AAA is all about implementing the above-mentioned goals with some centralization command can control. For example, an organization has 100 devices located at different locations geographically. One method is to access these devices one by one and to add a local database containing usernames and passwords of all authorized persons. The second solution is to have a centralized server containing the database with each device pointing to server for taking decision.

AAA Components

AAA is a modular framework and it tries to cater all kinds of traffic over the network either as a network administrator trying to access a networking device or as an end user trying to send data traffic out of local LAN.

The three main components of AAA are:

Authentication: Authentication is the process of proving identity to the system. It is used in every system not just in computer networking. In a banking system, we need to prove the identity by entering the password before making a transaction. Similarly, if a network administrator needs to access a router or a switch and make some changes, some kind of authentication must be defined on the device. The first but least usable practical solution would be to define the usernames and passwords database inside the device. The second option would be the use of some centralized server like Cisco ACS or ISE. In Cisco devices, we can use the combination of both options by defining a method list that states the list of preferred methods for authentication. If one option is not available, then the second option will be used and so on. Examples of these methods are explained in Lab Section of AAA.

Authorization: After authentication of user succeeds, the next problem to deal with is the level of clearance that a user needs to perform his legal actions. Another example in a banking system would perfectly illustrate this. After entering the correct password, we get authorization to withdraw the maximum cash possible depending on the balance available in our bank account. Similarly, there are similar scenarios in computer networking where we need to restrict the access to the user. For example, an end user may need network resources for eight hours a day. Similarly, a network administrator may need commands associated with privilege level 4. Custom lists as well as default method lists are used to define the authorization in Cisco devices.

Accounting: The third element of AAA is accounting or auditing. Whenever a user gets authenticated and authorized to a specific set of commands in Cisco devices, the set of commands he used must be recorded while accessing the specific device during a specific time. Like authentication and authorization, we also use either default or custom method list to define what should be accounted for and where to send this information.

Device Administration

Device administration is a process of AAA for controlling the access to a network device via telnet session, SSH session, console. Imagine a scenario in which your company has an Active Directory for Secure Network Access, and you have privilege 15 (Full Access). In this case, you can do anything you want with the network device. If you have limited access, you are restricted for some particular commands

Network Access

Secure network access is necessary in order to identify the user or endpoint before permitting it to communicate or access the network. Secure Network Access is the main topic covered in this course. AAA has an important role in Network Access authentication and authorization. Nowadays, organizations require remote user, Sites, BYOD and many more. To filter legitimate user AAA Network access authentication is required. AAA authenticates these devices and control what these users are authorized for.

Options for implementing AAA

Cisco provides a number of ways to implement AAA. Over the years, many names have been used for appliance which implements centralized list of usernames and passwords for access. Two examples are ACS server and Radius Server. Today, two kinds of such proprietary servers exist, namely ACS server and ISE. Few open source implementations like Free Radius implemented in Linux is also very popular in ISP environment.

The following are different options of centralized servers:

Cisco Secure ACS solution Engine: In the past, Cisco sold this solution as hardware appliance with Cisco Access Solution (ACS) server preinstalled. However, it can also be installed on virtualized environment like VMWare in production environment. Any network device that wishes to implement AAA becomes the client of this server, which contains usernames passwords, and associated level of authorization with each username. Two protocols are commonly used in communication between client and ACS server namely TACACS+ and RADIUS. Generally, TACACS+ is used for communication between client device and server for giving access to network administrator. Similarly, RADIUS is normally preferred as protocol between device and ACS server for allowing access to end-users of network. However, it is not a hard and fast rule; we can use any of both of them at the same time.

It may be time-consuming to enter every single username, password, and associated level of authorization in ACS, as majority of organizations that can afford ACS have a very large number of employees. ACS has a nice feature of integration with already running databases containing every single username and passwords. An example of this would be integrating AAA with Microsoft Active Directory.

ACS comes in different forms. It can be installed in older versions of ACS already running Windows- based server. Another option is to purchase hardware appliance from Cisco with preinstalled ACS. The third and most convenient option is to install ACS in VMWare on ESXi server. The basic functionality and purpose of ACS remains the same regardless of which method of deployment is used.

ACS in a nutshell:

In order to explain the full process of ACS giving access to a user over the network, consider the scenario on the next page.

Figure 1-1. ACS in working environment.

Consider an end user coming to an office and tries to login in the workstation. Or a network administrator who tries to login to a switch or a router or even a firewall. Assume the router is configured with using ACS as primary tool for AAA and it is also integrated with Microsoft Active Directory (AD) and LDAP servers. So, the request will first come to a router, which in turn prompts a username and password request in front of user. Upon submission, the router will send the requested query to the ACS server, which in turn contact the LDAP or AD for authenticity of provided username and password. Upon green signal from LDAP or AD, ACS can verify the authorization level of that user and gives the green signal to originating network device to allow the specific user for authorized access.

Identity Service Unit (ISE): ISE is used for secure access management like ACS. It is a single policy control point for an entire enterprise including wired and wireless technologies. Before giving access to endpoints or even networking devices itself, ISE checks their identity, location, time, type of device and even health of endpoints to make sure that they comply with company’s policy like antivirus, latest service pack and OS updates etc. Most of the time people prefer ACS to ISE, although ISE can implement AAA but it is not a complete replacement of ACS.

Protocol Selection between ACS and Client: In general, TACACS+ is preferred over RADIUS when you need to give access to the network administrator, say, CLI access of some router as well as do some authorization of a specific group of commands, and ensure audit trail. This is due to its granular control in authorizing which commands should be allowed.

When configuring for end-clients to enable them to send their traffic over the network, RADIUS is always preferred over TACACS+. It is not compulsory to follow this convention. TACACS+ and RADIUS can also be used simultaneously between ACS server and its client devices.

This table summarizes and compares the unique features of RADIUS and TACACS+.

TCP port 49. UDP ports. 

1812/1645 for authentication

1813/1646 for accounting.

Encrypts full payload Encrypts only passwords.
Cisco proprietary Open Standard.
Use for Device Administration Use for Network Access
Separate Authentication and Authorization Combine Authentication and Authorization

Table 1. Comparison between RADIUS and TACACS+


TACACS is a set of protocol created and intended for controlling access to Unix terminals. Cisco created a new protocol called TACACS+, which was released as an open standard in the early 1990s. TACACS+ may be derived from TACACS, but it is a completely separate and non–backward-compatible protocol designed for AAA. Although TACACS+ is mainly used for device administration AAA, you can use it for some types of network access AAA.

TACACS+ Authentication Messages

Action of Determination of a user is called Authentication. It may be by using Username and Password combination or like modern authentication requirement such as a one-time password or a challenge. When using TACACS+ for authentication, only three types of packets are exchanged between the client (the network device) and the server:

   Authentication START—This packet is used to begin the authentication request between the AAA client and the AAA server.

   Authentication REPLY—Messages sent from the AAA server to the AAA client.

   Authentication CONTINUE—Messages from the AAA client used to respond to the AAA server requests for username and password.

   Authorization REQUEST—Fixed set of fields describing the authenticity of the user, and a variable set of arguments that describes the services and options for which authorization is requested.).

   Authorization RESPONSE—It contains a variable set of response arguments.

   Accounting REQUEST—It conveys information used to provide accounting for a service provided to a user.).

   Accounting REPLY—It is used to indicate that the accounting function on the server has completed and securely.

Figure 1-2. TACACS+ Packets


RADIUS is an IETF standard for AAA. As with TACACS+, RADIUS follows a client/server model in which the client initiates the requests to the server. RADIUS is the protocol of choice for network access AAA, and it’s time to get very familiar with RADIUS. If you connect to a secure wireless network regularly, RADIUS is most likely being used between the wireless device and the AAA server. Why? Because RADIUS is the transport protocol for EAP, along with many other authentication protocols.

Originally, RADIUS was used to extend the authentications from the Layer-2 Point-to-Point Protocol (PPP) used between the end user and the Network Access …

Figure 1-3. RADIUS Packets

TACACS+ vs RADIUS: Two protocols used in ACS as a language of communication between a networking device and ACS server are RADIUS and TACACS+. TACACS+ stands for Terminal Access Control Access Control Server and it is Cisco proprietary. Anytime TACACS+ is used for communication between device and server, it will encrypt the full payload of packet before sending it over the network.

Another possible protocol to be used is RADIUS which is an acronym for Remote Authentication Dial-in User Service. RADIUS is an open standard meaning that all vendors can use it in their AAA implementation. One main difference between RADIUS and TACACS+ is that RADIUS only encrypts password and sends other RADIUS packets as clear text over the network.


RADIUS uses UDP as a transport protocol while TACACS+ uses TCP. There are several advantages of TCP over UDP. As the characteristic of TCP and UDP, TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional variables such as re-transmit attempts and time-outs to compensate for best-effort transport. But it lacks the level of built-in support that a TCP transport offers:

  • TCP provides separate acknowledgment within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  • TCP provides immediate indication of a crashed, or not running, server by a reset (RST).
  • Using TCP keepalives, server crashes can be detected out-of-band with actual requests.
  • Connections to multiple servers can be maintained simultaneously,
  • TCP is more scalable and adapts to growing, as well as congested, networks.

Packet Encryption

RADIUS Protocol encrypts the password of the access-request packet only from Client to server. The remaining packet is unencrypted. Hence, other information can be captured by a third party.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.

Authentication and Authorization

RADIUS combines authentication and authorization processes. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Multiprotocol Support

RADIUS does not support these protocols:

  • AppleTalk Remote Access (ARA) protocol
  • NetBIOS Frame Protocol Control protocol
  • Novell Asynchronous Services Interface (NASI)
  • X.25 PAD connection

TACACS+ offers multiprotocol support.

Router Management

RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.

TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.


Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.

Active Directory (AD)

In a network, keeping track of everything is a very difficult, and time consuming task. If the network is wide enough, it becomes impossible to manage and find resources on a network. Microsoft Windows 2000 server launches Active Directory (AD) to replace Domain functionality. Active Directory is like a phonebook. As a phonebook stores information like Name, Contact No, Business, similarly, Active Directory stores the information about organization, sites, system, user, share and much more. It is much more flexible as well. Active Directory is the more efficient way to perform these tasks. Another advantage of Active Directory is it can be replicated between multiple domain controllers.

Components of Active Directory:

  • Name space or Console tree:

Active Directory as define stores information about multiple users and allow the clients to find objects within namespace or console tree. Namespace or Console tree is like DNS, resolving hostname to IP address, similarly, namespace resolve Network object to object themselves.

  • Object:

Object may be a User, Resource, or System that can be tracked within Active Directory. These Objects can share common attributes.

  • Attributes:

In an Active Directory, Attributes describe objects like username, full name, description, hostname, IP address and location etc. It may depend upon the type of object.

  • Schema:

The Schema is the set of attributes for any particular object type. It differentiates object classes from each other.

  • Name:

Each object has a name. These are LDAP distinguished names. LDAP distinguished names allow any object within a directory to be identified uniquely regardless of its type.

  • Site:

Sites correspond to logical IP subnets, and as such, they can be used by applications to locate the closest server on a network. Using site information from Active Directory can profoundly reduce the traffic on wide area networks.

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol LDAP is an open standard, application protocol. LDAP is for accessing and maintaining distributed directory information services. A directory service plays an important role by allowing the sharing of information like user, system, network, service etc. throughout the network. LDAP provide a central place to store usernames and passwords. Applications and Services connect to the LDAP server to validate users.

Identity Management

Identity Stores:

An Identity Store is a store or database that is used to authenticate users or endpoints. This Identity Store may reside in AAA Server (Internal Identity store) or additional external database (External Identity Store) can also connect. These Identity Stores can also be used for attributes required for authorizing policies.

  • Internal Identity Store

Internal identity store or local database that can be used for internal username and password accounts like Cisco ISE has an internal user database. User accounts stored in the internal user database are referred to as internal users in this Internal Identity store. The internal user database can be used as an internal identity store for local authentication and authorization policies.

  • External Identity Store

External Identity stores are the external databases which are used for authentication for internal and external users. Some external identity stores are LDAP, Active Directory, RSA SecureID Token Server and RADIUS Identity Server. Attributes, Configuration parameters can be defined over External Identity store user records.

Other Identity stores Options:

One-Time passwords:

OTP stands for One-Time Password. OTP are valid for single use for login or sign up or transaction etc. from a device. Due to its one-time validity, it is more secure than ordinary password- based authentication such as they are not vulnerable to replay attacks as well as OTP also ensure sessions are not intercepted or impersonated. These one-time passwords are made difficult to memorize or decode to make them stronger. One-Time password depends upon the algorithm of pseudo randomness and hash functions. They are very hard to reverse hence difficult for attackers to get data used for hashing. Generation of One-Time password may use any of these approaches:

  • Time-Synchronization (Valid for short interval)
  • Algorithm to generate new password based on previous password (Predefined Order)
  • Algorithm to generate new password based on a challenge. (Random number)

To send user a new OTP, several channels can be used such as Security tokens, Software’s, Out-of-band channels etc.

Public Key Infrastructure (PKI)

Figure 1-4. PKI

Public-key cryptography is also called asymmetric-key cryptography. In Public Key Cryptography, a key pair is used to encrypt and decrypt content. Two key pairs are used in Public Key Cryptography technique named as Public Key and Private key. These Public and Private keys are related to each other so that the data encrypted with one key can only be decrypted with the other key. Public key can be distributed and private key must be kept secure and secret. Any one try to communicate with another will encrypt the content with Public key of the receiver and receiver will decrypt the content by its private key. Public Key infrastructure (PKI) depends upon software and hardware. A trusted third party called as Certificate Authority (CA) is also used integrity and the ownership of public keys. This Certificate Authority issues encrypted, signed binary certificates.

Element Description
Certification Authority Acts as the root of trust in a public key infrastructure and provides services that authenticate the identity of individuals, computers, and other entities in a network.
Registration Authority Is certified by a root CA to issue certificates for specific uses permitted by the root. In a Microsoft PKI, a registration authority (RA) is usually called a subordinate CA.
Certificate Database Saves certificate requests and issued and revoked certificates and certificate requests on the CA or RA.
Certificate Store Saves issued certificates and pending or rejected certificate requests on the local computer.
Key Archival Server Saves encrypted private keys in the certificate database for recovery after loss.

Table 2. Elements of PKI

Implement Accounting:

In an AAA model, accounting features is also very much important in security. Accounting command enables  tracking the commands, services and resources used by user while accessing the network. Accounting is the measure of resources consumed by a user during access. In accounting, it includes amount of time, amount of data user has send or received during a session. This accounting is carried in the form of logs of session statistics and usage information. This accounting data is used for authorization control, analysis of resources utilization, billing and planning as well. This accounting is also very much helpful to troubleshoot if network devices are not functioning properly. An example is when someone tries to access the network device and issued a wrong command which stops the device forwarding the packets. Accounting logs will verify the user who is responsible to issue that command. AAA Accounting is disabled by default.

AAA Accounting Types

  • Network

To enable Accounting for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARAP protocols), use the network keyword.

  • Exec

To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword.

  • Commands

To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword.

  • Connection

To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword.

  • Resource

To create a method, provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.

Accounting Commands

Generating records when Client is authenticated and after client disconnection.

Router(config)# aaa accounting network default start-stop group radius local

Generates records when client disconnected

Router(config)# aaa accounting network default stop group radius local

Generates records for authentication and negotiation failure

Router(config)# aaa accounting send stop-record authentication failure

It enables full resources accounting

Router(config)# aaa accounting resource start-stop

Wired/Wireless 802.1x

802.1x Port-Based Authenticaiton

IEEE 802.1x is a Port-Based Authentication. This Port-Based Authentication prevents unauthorized user or client devices to access the network. Client may be Wired or Wireless. In 802.1x authentication, authentication is a Client and Server based authentication protocol, which prevents or restricts unauthorized supplicants or Clients from accessing the network via connecting to LAN through publicly accessible ports. Authentication server (RADIUS) validates each client connected to publically accessible port of Authenticator switch, also called as Network Access Switch (NAS) before permitting the access. 802.1x authentication required authentication server configured for Remote Authentication Dial-In User Service (RADIUS). It is necessary that switch can communicate Authentication server for 802.1x authentication. When Client is successfully authenticated, normal traffic can pass through the port.

Figure 1-5. 802.1x Devices role


Client, also known as Supplicant is 802.1x Port-Based Authentication. Client is the Workstation that is connected through Network Access Switch (NAS) to the LAN and request for accessing the network resources. This Workstation or Client must be using 802.1x Client software.


Authenticator is basically a device that authenticates Client to restrict or permit to use network resources. Normally Network Access Switch (NAS) plays the role of Authenticator. Authenticator controls the access of Client depending upon the status of Authentication. Switches get requests from Clients, it forwards this identity information to authentication server, which validate and verify the information. This Switch encapsulate and de-capsulate the frames using Extensible Authentication Protocol (EAP) to communicate RADIUS authentication server.

Enabling Router for Dot1x Authentication

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# dot1x system-auth-control

Router(config)# interface [Interface-name]

Router(config-if)# dot1x port-control auto

Router(config-if)# end

Authentication Server:

Authentication server (RADIUS) performs the real authentication of the Supplicant or Client. Authentication server check for the identity of the Client, if verifies, allow the user by acknowledging the switch that this client is authorized to access the LAN. (The only supported Authentication server is RADIUS with EAP Extensions)

Configuring RADIUS server on Router

Router# configure terminal

Router(config)# ip radius source-interface [Source-Interface]

Router(config)# radius-server host [Server-IP Address]

Router(config)# radius-server key [Server-Key]

Router(config)# end

Attribute-Value (AV) Pairs

The authenticator sent the information of 802.1x authentication to the Authentication server is represented as Attribute-Value Pairs (AV-Pairs). These Attribute Value Pairs provide information to different applications for use. Authenticator Switch configured for Accounting sends these AV pairs. Three types of RADIUS accounting packets are

START  –  Sent when new user session start

INTERIM  –  Sent During a session for Updates

STOP   –  When Session terminates

Attribute Number AV Pair Name START INTERIM STOP
Attribute [1] User-Name Always Always Always
Attribute [4] NAS-IP-Address Always Always Always
Attribute [5] NAS-Port Always Always Always
Attribute [6] Service-Type Always Always Always
Attribute [8] Framed-IP-Address Never Sometimes Sometimes
Attribute [25] Class Always Always Always
Attribute [30] Called-Station-ID Always Always Always
Attribute [31] Calling-Station-ID Always Always Always
Attribute [40] Acct-Status-Type Always Always Always
Attribute [41] Acct-Delay-Time Always Always Always
Attribute [42] Acct-Input-Octets Never Always Always
Attribute [43] Acct-Output-Octets Never Always Always
Attribute [44] Acct-Session-ID Always Always Always
Attribute [45] Acct-Authentic Always Always Always
Attribute [46] Acct-Session-Time Never Never Always
Attribute [47] Acct-Input-Packets Never Always Always
Attribute [48] Acct-Output-Packets Never Always Always
Attribute [49] Acct-Terminate-Cause Never Never Always
Attribute [61] NAS-Port-Type Always Always Always

Table 3. Accounting AV pairs

Periodic Reauthentication

Router(config)# interface [Interface-name]

Router(config-if)# dot1x reauthentication

Router(config-if)# dot1x timeout reauth-period [Period]

Router(config-if)# end

Router# show dot1x all

Router-Client Transmission Time

Router(config)# interface [Interface-name]

Router(config-if)# dot1x timeout tx-period [Period]

Router(config-if)# end

Troubleshooting Dot1x from NAD

Router# show dot1x all

Extensible authentication protocol (EAP)

EAP-MD-5 (Message Digest) Challenge is an EAP authentication. EAP-MD5 provides base-level EAP support, it is not recommended for Wi-Fi LAN implementations. It provides only one-way authentication. There is no mutual authentication of Wi-Fi client and the network. It does not provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys.

EAP-TLS (Transport Layer Security) provides certificate-based and mutual authentication process between client and the network. EAP-TLS relies on certificates of client-side and server-side for authentication. It can dynamically generate user-based and session-based WEP keys to secure subsequent communications.

EAP-TTLS (Tunnelled Transport Layer Security) is an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.

EAP-FAST (Flexible Authentication via Secure Tunnelling) mutual authentication is achieved by means of a PAC (Protected Access Credential) instead of using a certificate, which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically.

Extensible Authentication Protocol Method for GSM Subscriber Identity (EAP-SIM) is a mechanism for authentication and session key distribution. EAP-SIM uses the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card that is used by Global System for Mobile Communications (GSM) based digital cellular networks.

EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.

LEAP (Lightweight Extensible Authentication Protocol), is an EAP authentication type used primarily in Cisco Aironet* WLANs. It encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication. Heretofore proprietary, Cisco has licensed LEAP to a variety of other manufacturers through their Cisco Compatible Extensions program.

PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunnelling between PEAP clients and an authentication server. Like the competing standard Tunnelled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Microsoft, Cisco and RSA Security developed PEAP.

Lab 1.1: Configuring Dot1x Port-based Authentication Using Cisco ISE

Case Study:

In a small network of an organization, Administrator is deploying 802.1x Port-based Authentication. Router is used as Network Access Device (NAD) and Dot1x Client is using Window 7 PC. Requirement of the Lab is to configure 802.1x Port-based Authentication with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) for Window7 Client. Cisco ISE Internal Datastore can be used for User registry.

Topology Diagram:

Configuring Core Router

Router(config)#hostname Core-Router

Core-Router(config)#int fastethernet 1/0

Core-Router(config-if)#ip address

Core-Router(config-if)#no sh


*Mar  1 00:03:10.271: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up

*Mar  1 00:03:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

Core-Router(config)#int fastethernet 0/0

Core-Router(config-if)#ip add

Core-Router(config-if)#no sh


*Mar  1 00:03:56.663: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:03:57.663: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Core-Router(config)#int fastethernet 0/1

Core-Router(config-if)#ip address

Core-Router(config-if)#no sh


*Mar  1 00:04:12.211: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:04:12.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Core-Router(config)#int fa 2/0

Core-Router(config-if)#ip address

Core-Router(config-if)#no sh


*Mar  1 00:04:32.201: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up

*Mar  1 00:04:32.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to up

Core-Router(config)#router eigrp 10

Core-Router(config-router)# network

Core-Router(config-router)# network

Core-Router(config-router)# network

Core-Router(config-router)# network

Core-Router(config-router)# no auto-summary



Configuring NAD Router

Router(config)#hostname NAD

NAD(config)#interface fastethernet 0/0

NAD(config-if)#ip add

NAD(config-if)#no shutdown


*Mar  1 00:10:27.383: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:10:28.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

NAD(config)#interface fastethernet 0/1

NAD(config-if)#ip address

NAD(config-if)#no sh


*Mar  1 00:10:57.895: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:10:58.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

NAD(config)#router eigrp 10




NAD(config-router)#no auto-summary


NAD(config)#interface loopback 0

*Mar  1 00:11:28.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

NAD(config-if)#ip address


NAD(config)#aaa new-model

NAD(config)#aaa authentication dot1x default group radius

NAD(config)#dot1x system-auth-control

NAD(config)#ip radius source-interface loopback 0

NAD(config)#radius-server host

NAD(config)#radius-server key cisco123

NAD(config)#interface FastEthernet0/1

NAD(config-if)#dot1x ?

credentials       Credentials profile configuration

default           Configure Dot1x with default values for this port

host-mode         Set the Host mode for 802.1x on this interface

max-reauth-req    Max No.of Reauthentication Attempts

max-req           Max No.of Retries

max-start         Max No. of EAPOL-Start requests

pae               Set 802.1x interface pae type

port-control      set the port-control value

reauthentication  Enable or Disable Reauthentication for this port

timeout           Various Timeouts

NAD(config-if)#dot1x timeout reauth-period ?

<1-65535>  Enter a value between 1 and 65535

server     Obtain re-authentication timeout value from the server

NAD(config-if)#dot1x timeout reauth-period 4000

NAD(config-if)#dot1x port-control auto

NAD(config-if)#dot1x host-mode single-host

NAD(config-if)# dot1x reauthentication

NAD(config-if)# dot1x timeout tx-period 60

NAD(config-if)#dot1x pae authenticator


Configuring Cisco ISE

Go to the Management-Station and check if IP Address is properly configured. If not, Set the IP address to /30 and gateway as shown in the figure below

Now check the connectivity between Management-Station and ISE server by Pinging.