EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFSecure Host Onboarding in Enterprise
Secure Host Onboarding in Enterprise
This section will talk about different host onboarding technique in SD-Access fabric and well defined approach towards Cisco Zero Trust Model.
End Point Host Mode in 802.1X
802.1X is the port-based authentication method that restricts unauthorized clients from connecting to LAN through publicly accessible ports. An Authentication server validates each client (suppliant) who is just connected to network access device (authenticator) port before making any services available to that client. Once Client is successfully validated or authenticated, 802.1X enabled port goes to authorize state. And if client is not authenticated port goes to unauthorized state.
802.1X port can be configured by four different method, lets discuss each method one by one.
Single Host Mode
In this only one MAC is allowed on switch port. The switch authenticates the port and keeps it in authorize state. If any second MAC is detected, port goes in Security Violation state. It is used when we have strict restriction of connecting only one device on one port.
Multi-Host mode
In this the First Mac is authenticated and all other subsequent MAC’s bypass the authentication and piggyback on first MAC address authentication.
Multi-Domain Mode
In this mode , when PC is connected behind IP Phone and IP phone is connected to port , both IP Phone and PC are authenticate independently making two different domains. Even though they are conenct3d to same port, IP Phone are kept in Voice VLAN and PC are kept in Data Vlan.
Multi-Auth Mode
In this One Client is allowed on Voice VLAN whereas multiple client are authenticated on Data Vlan. DNA Center by default provision multi-auth mode on all 802.1X enabled ports.
802.1X Phased Deployment
AN end goal of Enterprise to design network that uses 802.1X authentication for every client. And this can be achieved or done in phased approach.
Let’s talk about phased approach in which there are two phases defined for 802.1X implementation.
Phase 1: Monitor or Visibility Mode
In this mode, when user is connected, irrespective of its authentication status, Port are open authentication and traffic is allowed.
Below figure shows that before authentication and after authentication all traffic is permitted. Even though user authentication fails, user is able is to access file servers and rest of the resources available on the network.
Below command enable monitor mode on the port:
interface GigabitEthernet1/0/10 switchport access vlan 111 switchport mode access switchport voice vlan 112 authentication host-mode multi-auth authentication open -----------------> enables Monitor mode authentication port-control auto mab -----------------> enables MAB dot1x pae authenticator -----------------> enables 802.1X
Phase 2 (a): Low-Impact Mode
This phase has two modes, one is Low-Impact mode and another one is Closed Mode. When the ACL is applied to switch port when Security framework is monitor mode, when then allow very limited network access prior to authentication. Once user or device successfully authenticated, then they get full Network access. Below figure shoes port behavior with low-impact mode.
The ACL is configured statically on Switch Access Port, when the authentication & Authorization is successful, policies are pushed down to inform of dACL which are configured on ISE.
Phase 2 (b): Closed Mode:
This mode provides total control over switch-level network access. In this mode, Switch port does not allow any traffic except EAP over LAN (EAPoL) until fully authentication success.
Below figure shows the port behavior with closed mode.
This mode is very much suitable for SD-Access deployment because no default VLAN is assigned at the port level.
Below configuration shows 802.1X port configuration in closed mode.
int GigabitEthernet1/6 switchport access vlan 21 switchport mode access switchport voice vlan 21 no authentication open -------------> enables Closed Mode. authentication periodic authentication timer reauthenticate server authentication port-control auto mab dot1x pae authenticator
Host Onboarding with Cisco DNA Center
Comment
TABLE OF CONTENTS
- How to add Site, Floor & Building
- How to Create Wireless Network Profile
- How to Provision a Device to New Site
- How to do ZTP via PnP of New Device
- How to Configure Multi-Site Remote Border
- How to Configure Fabric In Box Configuration
- How to Perform SWIM Action
- How to Configure Device RMA
- How to Create Virtual Network
- How to Create Group Based Access Control Policies
- How to Create Access Contract
- How to work on Policy Analytics
- How to do AI Endpoint Analytics
- Learn Overall Health of Network Devices & Health Score
- Learn how to visualize the Over all health of Wireless Client
- Learn how to Application Analysis via DNA
- How to analyse the Sensors Performance Testing
- Management of Industrial Extended Network
- How to Configure Security for IOT
- How to Create Template for IOT Network
- How to Create Network Profile
RECENT POSTS
- Advancing Your Career with Cisco Data Center Mastery: A Comprehensive Guide to Nexus Training
- Securing Networks in the Digital Age: Your Guide to Mastering Cisco Identity Services Engine (ISE)
- Becoming an AWS Solution Architect: Your Path to Cloud Expertise
- Navigating Your Journey to Docker Expertise: Master Docker with Comprehensive Training and Certification
- Transform Your Azure Networking Expertise Through AZ-700 Training
- Why Choose DClessons for Your SD-WAN Velocloud Training Needs
- Next-Level Networking: Unlocking Cisco ACI and DCACIA Potential with DClessons
- Mastering Data Center Technologies with DClessons: A Comprehensive Guide to Cisco CCIE Data Center Training
- Why Choose Cisco SD-WAN Solutions with DClessons?
- What is Docker and Why is It Important?
LEAVE A COMMENT
Please login here to comment.