A Different Way to do 802.1X Authentication with Novell Client
Novell Cool Solutions: Feature
By Brett Littrell
Digg This -
Posted: 5 Oct 2007
We are a school district and have had many issues integrating 802.1X into our network.
Network login Issues:
- Student types wrong name or password and you only get a no tree or server error.
- Students mistype, forget or just don?t enter their correct context and get the generic No Tree or Server message.
- Meetinghouse/Cisco client won?t allow LDAP lookups that will visually confirm correct username.
- When the Meetinghouse/Cisco client fails it is hard to find out if it is a user error, system error, supplicant error etc.
- The Meetinghouse/Cisco way of doing LDAP lookup did not work when Novell cached the context. So if someone logged in prior the context info would remain for the next login but the supplicant would not do a lookup if the context info was in there so people in different contexts would have to clear the context fields prior to login.
- If you use Cisco ACS servers and users type in <username.context> you have to tell the ACS to strip everything after ".". This causes a problem because windows will send a format of "username@computername" to the ACS if you fail login to many times but the ACS will only use one delimiter to cut off excess user info meaning you either retrain people to press the Adv Button and enter the correct context or you restart the computer after so many failed logins.
I really liked the Novell LDAP lookup; it verified the user name and populated the user context fields prior to login so I came up with this workaround.
With Cisco Secure Services Client 4.05.2 and prior the supplicant will allow the Novell Login to access the Guest network. You can tell your Cisco switch and other switches I imagine, to open the port to the guest network right away. Then enter an access list entry to allow LDAP 636 or 389 ports to query a read only LDAP server. You can do a read only LDAP server by enabling a proxy user on the LDAP server with Read Only rights or give the server a Readonly partition and tell the LDAP server not to forward searches to other servers. The Read only partition suggestion is not researched I just remember at one time that was a way to do a read only LDAP server.
So the config for the Cisco Switch is as follows for each 802.1X port.
switchport mode access dot1x mac-auth-bypass eap dot1x pae authenticator dot1x port-control auto dot1x timeout quiet-period 3 dot1x timeout tx-period 3 dot1x reauthentication dot1x guest-vlan 10 dot1x auth-fail vlan 10 dot1x auth-fail max-attempts 1 spanning-tree portfast
The guest-vlan and the auth-fail vlans are the same but you can make them different, you just have to make sure you enter access-list entries for each vlan. The Max-attempts and quiet ?period is basically how long it will take before it pops the port onto the Guest/Auth-fail vlan. For this config you are looking at about 1-2 seconds after the Novell login comes up.
The other entry is for the access-list where ever you restrict access,
access-list 150 permit tcp 192.168.1.0 0.255.255.255 host 172.18.10.201 eq 389 access-list 150 permit tcp 192.168.1.0.0 0.255.255.255 host 172.18.10.201 eq 636
This allows stations on the Guest network to access the LDAP servers, this is assuming you allow returning traffic as well.
So now when a client comes up they can type in their username press tab and it will resolve the name and populate the context fields.
Note caveats on this:
- Cisco client will close the port completely on log out, so there will be no guest network access to do a LDAP lookup so you will have to restart instead of logout.
- Cisco client 4.1 broke the guest network access upon boot-up, 4.1 and above client will not allow access to the network until the supplicant has logged in, even though the switch port shows it is on the guest Vlan.
My own comments on the 802.1X Authentication and Novell:
I have been hoping that Novell would finally embrace 802.1X since it is darn near the only Layer 1/2 security option out there. They have finally released SP4 with 802.1X integration but require a MS network back end for it to work, due to the use of MSChapV2 internal password cipher. Novell seems to get around this by layering on a Samba server to the Free Radius server but for me this is one more point of failure/troubleshooting. Until Novell supports Certificates or EAP-Fast we are limited to relying at least in some part on MS networking.
Currently Cisco is dropping support for Single Sign On 802.1X supplicant for Novell Client in their Version 5.0 CSSC(Cisco Secure Services Client) which means if you want to use 802.1X with anything but MSChapV2 you will have to use CSSC V 4.2 or below. I have found that the latest version of Novell Client, SP4, and CSSC 4.2 has fixed the problem when Novell caches the context. Now it seems the CSSC will ignore the context field and do a LDAP lookup anyway, of course you do not get any confirmation that the username is correct prior to login, as you do with my way. I have not done a full scale deploy of this however to make sure there are no other bugs.
Hope someone is able to use this!!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com