802.1x, EX2200, NPS and all-all-all ...
The idea of using 802.1x as a means to combat unauthorized access to the network is not new. Each of us must have come across a courier from the delivery service, who has a patchcord from the sleeve of his signature jacket, and you can already see how he, noticing a free RJ-45 outlet, rushes to her and…
However, if in the general concept of use and 802.1x configuration with RADIUS authorization is beaten and simple, in this case there was an incident, the solution of which I propose below.
Given:
A separate FineGrainedPasswordPolicy has been created for departments or security groups containing these devices in order to be able to set passwords that do not meet security standards.
Original config for 802.1x on EX2200:
All workstations are logged in without any problems, but any of the above riffraffs is not. Wireshark persistently showed that NPS sends an Access-Reject with EAP code 4, which, as is well known in narrow circles, means Failure.
Informative, however, as always ... The
protocol used by supplicant for mac-radius authentication, the default is EAP-MD5.
There are more options for PEAP and PAP.
PEAP is not available for EX2200.
We try to configure PAP. In plain text, of course, I didn’t really want to, but, for not having the best, we drive in the cherished team
and (drum roll) - Syntax error - Juniper helpfully informs us.
During fights, threats with a soldering iron and other repressive measures, the Juniper site suggested that this option is available only for firmware from the 15.1 release.
It would seem, here it is, the solution. But no, the same Juniper not only recommends, but also in every possible way protects customers from such lewdness as firmware 15.1 on EX2200. Grit, utilization of the CPU and RAM is above the norm, therefore 12.3 is the ceiling of the JunOS version for the lucky owners of EX2200.
OK, we will deal with the protocol that sends the switch data to the NPS.
So it turned out that by default he sends them to eap-md5, which one? - correctly, disabled in Windows Server, starting already with the 2008 release - they say, non-securized. Several queries to Google give the desired result - a reg-file that includes the protocol we need.
However, the NPS persistently responds to requests from printers and other Access-Rejects .
He took out cigarettes, remembered that he had quit, hid ...
Google, who else in the world ... But no, this is from another opera ...
Ok, Google? 802.1x MAC authentication with NPS RADIUS
After a few pages of Google, on the forum ubnt found the desired. It is necessary to include several parameters for credentials of devices, then recreate passwords and - voila - Miracle. Moreover, it turned out even better than expected. Eap-md5, of course, is not God's message, but still better than plain text.
The resulting config, settings and screenshots of the policy under the spoiler.
Total:
List of guidelines, tutorials and resources:
Juniper recommendations for software version on EX2200
EAP-PAP support on Juniper devices for MAC RADIUS Authentication
Community UBNT, which gave the last kick in the right direction
However, if in the general concept of use and 802.1x configuration with RADIUS authorization is beaten and simple, in this case there was an incident, the solution of which I propose below.
Given:
- Access switch - EX2200, JunOS 12.3R2.
- RADIUS server based on NPS Windows Server 2012R2.
- A diverse zoo of devices of the form - TVs, AppleTV, printers and other small network animals, unable as normal and adequate members of the network to authenticate with certificates or PEAP. For each of the devices in Active Directory, its own account in the corresponding OU with sAMAccountName = MAC (in lower case, without division signs), password = sAMAccountName.
A separate FineGrainedPasswordPolicy has been created for departments or security groups containing these devices in order to be able to set passwords that do not meet security standards.
Original config for 802.1x on EX2200:
//set actual interfaces
set interfaces interface-range ACCESS_PORTS member "ge-0/0/[0-40]"
// Config interface range as L2 ports
set interfaces interface-range ACCESS_PORTS unit 0 family ethernet-switching
set protocols dot1x authenticator authentication-profile-name dynamicvlan
set protocols dot1x authenticator radius-options use-vlan-id
set protocols dot1x authenticator interface ACCESS_PORTS supplicant single
set protocols dot1x authenticator interface ACCESS_PORTS transmit-period 10
set protocols dot1x authenticator interface ACCESS_PORTS retries 0
set protocols dot1x authenticator interface ACCESS_PORTS mac-radius
set protocols dot1x authenticator interface ACCESS_PORTS supplicant-timeout 10
//set actual reject-vlan and fail-vlan
set protocols dot1x authenticator interface ACCESS_PORTS server-reject-vlan default
set protocols dot1x authenticator interface ACCESS_PORTS server-fail vlan-name default
set protocols dot1x authenticator interface ACCESS_PORTS guest-vlan default
//set actual password
set access radius-server 172.17.x.x secret "xxx"
set access profile dynamicvlan authentication-order radius
set access profile dynamicvlan radius authentication-server 172.17.x.x
All workstations are logged in without any problems, but any of the above riffraffs is not. Wireshark persistently showed that NPS sends an Access-Reject with EAP code 4, which, as is well known in narrow circles, means Failure.
Informative, however, as always ... The
protocol used by supplicant for mac-radius authentication, the default is EAP-MD5.
There are more options for PEAP and PAP.
PEAP is not available for EX2200.
We try to configure PAP. In plain text, of course, I didn’t really want to, but, for not having the best, we drive in the cherished team
set protocols dot1x authenticator interface ACCESS_PORTS mac-radius authentication-protocol pap
and (drum roll) - Syntax error - Juniper helpfully informs us.
During fights, threats with a soldering iron and other repressive measures, the Juniper site suggested that this option is available only for firmware from the 15.1 release.
It would seem, here it is, the solution. But no, the same Juniper not only recommends, but also in every possible way protects customers from such lewdness as firmware 15.1 on EX2200. Grit, utilization of the CPU and RAM is above the norm, therefore 12.3 is the ceiling of the JunOS version for the lucky owners of EX2200.
OK, we will deal with the protocol that sends the switch data to the NPS.
So it turned out that by default he sends them to eap-md5, which one? - correctly, disabled in Windows Server, starting already with the 2008 release - they say, non-securized. Several queries to Google give the desired result - a reg-file that includes the protocol we need.
However, the NPS persistently responds to requests from printers and other Access-Rejects .
He took out cigarettes, remembered that he had quit, hid ...
Google, who else in the world ... But no, this is from another opera ...
Ok, Google? 802.1x MAC authentication with NPS RADIUS
After a few pages of Google, on the forum ubnt found the desired. It is necessary to include several parameters for credentials of devices, then recreate passwords and - voila - Miracle. Moreover, it turned out even better than expected. Eap-md5, of course, is not God's message, but still better than plain text.
The resulting config, settings and screenshots of the policy under the spoiler.
EX2200 configuration, NPS policy
The magic reg-file that includes support for EAP-MD5 in Windows Server 2012 R2
After making changes to the registry, you must restart the NPS service.
The script that exposes the necessary settings for accounts of devices:
По сути, он выставляет параметры эквивалентно скриншоту. Но, одно дело — проставить для пары девайсов, и совсем другое — когда у тебя их более -дцати. Также скрипт переустанавливает пароль для учетной записи девайса, что есть необходимо после включения обратимого шифрования.
Настройки политики NPS:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4]
"RolesSupported"=dword:0000000a
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001After making changes to the registry, you must restart the NPS service.
Stop-Service IAS
Start-Service IASThe script that exposes the necessary settings for accounts of devices:
$devices=Get-ADUser -SearchBase "ou=802.1x-groups,ou=devices_groups,dc=company,dc=local" -Filter *
foreach ($device in $devices) {
set-aduser -Identity $device.name -UserPrincipalName ($device.name+"@company.local") -PasswordNeverExpires $true -AllowReversiblePasswordEncryption $true -CannotChangePassword $true
Set-ADAccountPassword -Identity $device.name -NewPassword (ConvertTo-SecureString -AsPlainText $device.name -force)
}По сути, он выставляет параметры эквивалентно скриншоту. Но, одно дело — проставить для пары девайсов, и совсем другое — когда у тебя их более -дцати. Также скрипт переустанавливает пароль для учетной записи девайса, что есть необходимо после включения обратимого шифрования.
Настройки политики NPS:
- Указываем группу с девайсами и тип порта.
- После манипуляций с реестром в списке доступных протоколов появляется наш заветный MD5-Challenge. Его и выбираем.
- Оставшиеся настройки выставляем, исходя из требований логической реализации. Ничем не отличается от стандартной настройки RADIUS + 802.1x.
Total:
- Network devices, such as TVs, Apple TV, printers are authenticated to 802.1x and group membership.
- Passwords are not transmitted in the clear, but somehow it is encrypted.
List of guidelines, tutorials and resources:
Juniper recommendations for software version on EX2200
EAP-PAP support on Juniper devices for MAC RADIUS Authentication
Community UBNT, which gave the last kick in the right direction