9.2.3.6. Cisco
9.2.3.6.1. Generic
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Cisco/Generic
SNMP Traps Basic Configuration
If we want to use SNMP for visibility, we need to configure the following on the switch.
Note
Only recommended if 802.1x is not available on that network device.
In global configuration mode:
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.101.254 version 2c public
Configuring MAC Table
mac address-table notification change interval 0
mac address-table notification change
mac address-table aging-time 3600
For configuring the interfaces that will send trap mac notification. In interface configuration mode:
Configuring access ports
interface range fast 0/4-8
snmp trap mac-notification change added
snmp trap mac-notification change removed
Configuring SNMP v3
To activate SNMP v3 in a Cisco you must create the group and user that will be used to access the device.
AuthPriv
This method provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. In addition to authentication, it provides DES 56-bit encryption based on the Cipher Block Chaining (CBC)-DES (DES-56) standard. “preSharedKeyAuth” is the keyword to authenticate (it must have a maximum of 64 characters), and “preSharedKeyPriv” as the encryption keyword (it must have maximum 64 characters).
configure terminal
snmp-server group [Group-name] v3 priv write [v1default]
snmp-server user [User-name] [Group-name] v3 auth [md5|sha] [preSharedKeyAuth-string] priv des [preSharedKeyPriv-string]
end
AuthNoPriv
This method provides authentication based on the Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms. “preSharedKeyAuth” is the keyword to authenticate (it must have a maximum of 64 characters). There is not encryption in this method.
configure terminal
snmp-server group [Group-name] v3 auth write [v1default]
snmp-server user [User-name] [Group-name] v3 auth [md5|sha] [preSharedKeyAuth-string]
end
NoAuthNoPriv
This method uses a username match for authentication. There is not encryption in this method.
configure terminal
snmp-server group [Group-name] v3 noauth write [v1default]
snmp-server user [User-name] [Group-name] v3
end
Port SPAN Configuration
Select the interface to be used as span port.
In global configuration mode:
Select the source interface range to be listen by the Span port, then select the destination span port.
monitor session 1 source interface Fa0/3 - 8
monitor session 1 destination interface Fa0/2 encapsulation replicate
Note
Local SPAN and RSPAN destination ports behave differently regarding VLAN tagging and encapsulation:
For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these packets appear with the original encapsulation (untagged, ILS, or IEEE 802.1Q). If these keywords are not specified, packets appear in the untagged format. Therefore, the output of a local SPAN session with encapsulation replicate enabled can contain a mixture of untagged, ISL, or IEEE 802.1Q-tagged packets.
For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification. Therefore, all packets appear on the destination port as untagged.
RSPAN (Remote SPAN) feature allows traffic that is sourced from a switch to be mirrored to a remote switch within a layer 2 network over trunk ports. To accomplish this you will have to configure the destination VLAN across the entire path between the switches.
RSPAN config:
Source Switch
In global configuration mode:
vlan <VLAN Number>
remote span
exit
monitor session <session_number> source interface fa0/<port_number>
monitor session <session_number> destination remote vlan <VLAN Number>
Destination Switch
In global configuration mode:
vlan <VLAN Number>
remote span
exit
monitor session <session_number> source remote vlan <VLAN Number> *The session number must be different from the source switch*
monitor session <session_number> destination interface fa0/<port_number>
OpenNAC Enterprise supports Cisco switches with VoIP using three different trap types:
linkUp/linkDown
MAC Notification
Port Security (with static MACs)
You also need to make sure that lldp or cdp notification is configured on all ports that will handle VoIP.
On some recent models, we can also use more secure and robust features like:
MAC Authentication (Cisco’s MAC Authentication Bypass or MAB)
802.1X (Multi-Host or Multi-Domain)
Depending of the switch model, we recommend the use of the most secure and reliable feature first. In other words, you should consider the following order:
802.1X/MAB
Port-Security
linkUp/linkDown
802.1x Basic Configuration+++
The first step is to configure the AAA authentication details, using the core IP address that can access from switch.
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
To define the RADIUS servers, we need to type the following. Remind that you have to include a line with the IP of each one of your CORE servers.
radius-server host <ON Core_1 IP> auth-port 1812 acct-port 1813 test username monitor idle-time 5 key <key>
...
radius-server host <ON Core_n IP> auth-port 1812 acct-port 1813 test username monitor idle-time 5 key <key>
If we want to use CoA for the Toggle Port functionality, we need to configure the following lines. Remind that you have to include a line with the IP of each one of your CORE servers. This key can be defined at the Configuration vars > NetDev “Default CoA password”
aaa server radius dynamic-author
client <ON Core_1 IP> server-key <key>
...
client <ON Core_n IP> server-key <key>
port 3799
We need additional configuration, such as ip device tracking and dot1x system-auth-control (enables IEEE 802.1x authentication globally on the switch).
ip device tracking
dot1x system-auth-control
Also, if our Cisco IOS version is below 15.2(1)E, we need the vsa commands. For versions equal or above this, these commands are set as defaults.
radius-server vsa send accounting
radius-server vsa send authentication
For each port that will use the 802.1x authentication, set the 802.1x details.
Set the interface range where 802.1x will be enabled and the details as follows:
interface range fastethernet 0/x - 0/y
switchport access vlan <VLAN NUMBER>
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication event server dead action authorize vlan <CRITICAL_VLAN>
authentication event server alive action reinitialize
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-req 3
spanning-tree portfast
EAP-FAST authentication Support
OpenNAC Enterprise supports Cisco NEAT through EAP-MD5, EAP-FAST, EAP-GTC and EAP-MSCHAPv2 authentication methods. Upon successful authentication against OpenNAC Enterprise, the authenticator switch will give trunk access to the supplicant switch.
Here is an official Cisco guide, from which the following configuration derives: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
The following configuration example contains required changes to be applied on both authenticator and supplicant switches to provide EAP-FAST authentication against OpenNAC Enterprise.
Authenticator
Global settings:
aaa group server radius openNAC server <Radius_Server_IP> auth-port 1812 acct-port 1813 key <Radius_Shared_Key>
aaa authentication dot1x default group openNAC
aaa authorization network default group openNAC
cisp enable
Uplink configuration:
interface FastEthernet0/20
switchport mode access
authentication port-control auto
dot1x pae authenticator
Supplicant
Global settings (replace username and password):
cisp enable
eap profile EAP_PRO
method fast
dot1x credentials EAP_PRO
username changeit
password 7 ciphered_changeit
! Password must be changed
!
dot1x supplicant force-multicast
Uplink settings:
interface GigabitEthernet1/0/24
switchport mode trunk
dot1x pae supplicant
dot1x credentials EAP_PRO
dot1x supplicant eap profile EAP_PRO
9.2.3.6.2. 2900XL / 3500XL Series
Software: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Cisco/Generic
9.2.3.6.2.1. SNMP (linkUP/linkDown)
Global config settings:
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host <opennac-ip> trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
Interface configuration (without VoIP):
switchport mode access switchport access vlan 4 snmp trap mac-notification added
Interface configuration (with VoIP):
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport mode trunk
switchport voice vlan 100
snmp trap mac-notification added
snmp trap mac-notification removed
9.2.3.6.3. 2950
Software: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Cisco/2950
Those switches are now supported using 802.1X for networks with or without VoIP. You can also use port-security with static MAC address, but we cannot secure a MAC on the data VLAN specifically. So to enable it if there is no VoIP, use linkUp/linkDown and MAC notification. On setups that needs to handle VoIP with this switch, use a 802.1X configuration.
802.1X
Note
Make sure that you have a local account, because enabling 802.1X or MAB will ask for a username and password on the next login. Global config settings:
ip device tracking
dot1x system-auth-control
9.2.3.6.3.1. RADIUS Global Configuration
AAA configuration:
aaa new-model
aaa group server radius openNAC server <Radius_Server_IP> auth-port 1812 acct-port 1813 key <Radius_Shared_Key>
aaa authentication login default local
aaa authentication dot1x default group openNAC
aaa authorization network default group openNAC
RADIUS server configuration:
radius-server host <Radius_Server_IP> auth-port 1812 acct-port 1813 timeout 2 key <Radius_Shared_Key>
radius-server vsa send authentication
Interface configuration (without VoIP):
switchport access vlan 4
switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
Interface configuration (with VoIP):
switchport access vlan 4
switchport mode access
switchport voice vlan 100
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
Port-Security
9.2.3.6.3.2. SNMP
Note
With port-security, if no MAC is connected on ports when activating port-security, we need to secure bogus MAC addresses on ports so the switch sends a trap when a new MAC appears on a port. On the other hand, if a MAC is actually connected when you enable port security, you must secure this MAC rather than the bogus one. Otherwise, this MAC will lose its connectivity instantly.
Global configuration (without VoIP):
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host <opennac-ip> version 2c public port-security
Interface configuration (without VoIP):
switchport mode access
switchport access vlan 4
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0000.00xx
where xx stands for the interface ifIndex.
Note
ifIndex mapping Use the following templates for interface IfIndex in bogus MAC addresses (0200.0000.00xx): Fa0/1 … Fa0/48 -> 1 … 48 Gi0/1, Gi0/2 -> 49, 50
Global configuration (with VoIP):
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host <opennac-ip> trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
On each interface (with VoIP):
switchport voice vlan 100
switchport access vlan 4
switchport mode access
snmp trap mac-notification added
snmp trap mac-notification removed
9.2.3.6.4. 2960
Software: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Cisco/2960
9.2.3.6.4.1. RADIUS Global Configuration
AAA Configuration
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
dot1x system-auth-control
aaa server radius dynamic-author
client <IP_Core> server-key KOXN5Rg2iukejqqFk089
port 3799
Minimum time on server as dead (minutes)
radius-server dead-criteria time 30 tries 2
IP Device Tracking
device-tracking policy <opennac_ip>
security-level glean
tracking enable
Core RADIUS server parameters
radius server core1
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
timeout 60
retransmit 10
key 0 testing123
automate-tester username monitor idle-time 2
end
radius server core2
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
timeout 60
retransmit 10
key 0 testng123
automate-tester username monitor idle-time 2
end
Interface range
interface <inteface id>
switchport mode access
switchport voice vlan NNN
device-tracking attach-policy <opennac_ip>
authentication event server dead action authorize vlan NNN
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
end
9.2.3.6.5. 9200
Software: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: Cisco/Generic
9.2.3.6.5.1. RADIUS Configuration
AAA Configuration
aaa new-model
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa server radius dynamic-author
client <IP_Core> server-key KOXN5Rg2iukejqqFk089
port 3799
IP Device Tracking
device-tracking policy <opennac_ip>
security-level glean
tracking enable
Minimum time on server as dead (minutes)
radius-server dead-criteria time 30 tries 2
Core RADIUS server parameters
radius server core1
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
timeout 60
retransmit 10
key 0 testing123
automate-tester username monitor idle-time 2
end
radius server core2
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
timeout 60
retransmit 10
key 0 testng123
automate-tester username monitor idle-time 2
end
Interface range
interface <interface_id>
switchport mode access
switchport voice vlan NNN
device-tracking attach-policy opennac_ip
authentication event server dead action authorize vlan NNN
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
end