Well, what about wired devices? How do we authenticate an authorized wired client? Well, it turns out we could do it right here in the same place.
So we could create a couple of more rules. So we can say OK, if we look at wired devices that are using certificates to authenticate, we could just call this rule wired certificate authentication.
We can effectively apply the same matching criteria as for wireless.
There’s no difference whatsoever here. On the right-hand side, we’ll decide where we want to move these devices after authentication and the right policy match.
And finally, what about non-dot 1x capable devices on the wired side? So for example, I have here a Phillips hub that does not support dot 1x. How can I authenticate a Phillips app?
So I could create a label for the Phillips device. The label will be client list. And I’ll just say approved Phillips app.
And I’ll just put the Mac address of that device in.
Oh. And you could put a list of Mac addresses. You can put the list of Mac OUIs.
And remember that all of these labels that I’m creating in the UI– they’re all available through the REST API. So there is always an endless possibility of integration with existing, say, inventory management systems that can just put all the new device Mac addresses in those lists for authentication and authorization. So we’ll just click Create.
Create this label. And we’ll create a rule. We’ll call it approved Phillips devices.
And here we are matching on wired devices that are doing Mac address authentication bypass that are part of this client list label. And in this case, we will move them to– well, I don’t want to move them to Corp VLAN. That’s not what I want.
I will create an IoT VLAN.
And in our case, that’s going to be VLAN 3,000.
And I’m going to add this to an IoT VLAN. And now, we have our authentication policies configuration done.
Now, the next step is to actually configure the switch to perform the authentication. So how do we do that? We go to our switch template.
In the authentication servers, we would select missed authentication. The source address is optional. This is just telling the switch which interface to use to source the authentication traffic.
And under Networks, you’ll just need to have all your VLANs that you’re planning to use configured. And most importantly, you’ll need to configure your port profile. So we’ll create that.
Let’s say secure port profile. It will be an access port. Default VLAN. Can be anything.
Ideally, it should be a VLAN that doesn’t exist anywhere. We will enable dot 1x authentication. And we will enable Mac authentication.
So the way it will work is if the client supports dot 1x, the switch port will do dot 1x authentication. If the client doesn’t do dot 1x, the switch port will failover to Mac authentication and check against the missed access assurance. We’ll enable spine entry edge.
Click OK. And finally, under our switch configuration, we will assign this port profile to our front-facing ports. In my case, that would be 001211.
And I want these ports to be configured in exactly the same way. I don’t want to deal with VLANs per port.
NAC will figure out which VLAN to send based on the identity of the device that you’re trying to plug into the switch. So click OK.
I needed to save it here. And now, I can save my template. And at this point, our configuration for wired authentication is done. We can move to validation phase and connect our clients to the switchboards.
What about wired devices, how do we authenticate and authorize wired clients. We use the exact same policy engine we used for wireless clients.