To configure a Three-Tier design using Cisco commands, follow the steps below:

Configure the Core layer:

Configure the Core layer switches with high-speed links to provide the backbone of the network.
Configure the switchports connected to the Distribution layer switches as trunk ports.
Configure VLANs on the Core layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Configure the Distribution layer:

Configure the Distribution layer switches with uplinks to the Core layer switches and downlinks to the Access layer switches.
Configure the switchports connected to the Core layer switches as trunk ports and the switchports connected to the Access layer switches as access ports.
Configure VLANs on the Distribution layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 10

Configure the Access layer:

Configure the Access layer switches with uplinks to the Distribution layer switches.
Configure the switchports connected to end devices as access ports.
Configure VLANs on the Access layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Configure Spanning Tree Protocol (STP):

Configure STP to prevent loops in the network.
Configure the Core layer switches as the root bridges for each VLAN.
Sample Cisco commands:

spanning-tree mode rapid-pvst
spanning-tree vlan 10,20,30 root primary

Configure Link Aggregation Control Protocol (LACP):

Configure LACP to provide link redundancy and load balancing between switches.
Sample Cisco commands:

interface GigabitEthernet0/1
channel-group 1 mode active

Configure VLANs:

Configure VLANs on the Core, Distribution, and Access layer switches to segment the network.
Assign ports to VLANs based on the device type and location.
Sample Cisco commands:

vlan 10
name Sales
vlan 20
name Engineering
vlan 30
name Marketing

Verify the configuration:

Verify the configuration by checking the switchport settings, VLAN configuration, and STP status.
Sample Cisco commands:

show interfaces GigabitEthernet0/1 switchport
show vlan brief
show spanning-tree vlan 10,20,30

By following these steps, you can configure a Three-Tier design using Cisco commands.

Follow a previous article on building a two tier campus network.
Design and Build a Two-Tier Campus Network Architecture

Follow this Cisco Validated Design for Inspiration.

Cisco Meraki has some good validated design ideas here.

Spanning Tree Protocol is a network protocol that provides redundancy while preventing loops in a network. It accomplishes this by creating a loop-free logical topology of a network, while still allowing redundant paths for traffic. It does this by electing one switch in the network as the root bridge, and then blocking redundant links to ensure that there is only one active path between any two switches.

However, while STP provides a solid foundation for network redundancy and loop prevention, it has its limitations. For example, in the event that the root bridge fails, it can take a significant amount of time for the network to converge and find a new root bridge. This downtime can be unacceptable for certain networks, particularly those with critical applications or high availability requirements.

This is where Spanning Tree Protection (STP) comes into play. STP enhances the functionality of STP by providing a faster failover mechanism in the event of a root bridge failure. This mechanism ensures that the network can quickly recover from a failure and continue to function with minimal downtime.

STP accomplishes this by creating multiple active paths between switches while still preventing network loops. This allows for a faster failover in the event of a root bridge failure because the network already has alternate paths available to use. Additionally, STP includes a mechanism for detecting and preventing loops in the network, ensuring that data is always transmitted efficiently and without interruption.

In a core switching environment, STP protection is especially critical. Core switches are the backbone of the network, responsible for routing and transmitting data across the entire network. Any downtime or failure of a core switch can have a significant impact on the network’s performance and availability.

By implementing STP protection on core switches, network administrators can ensure that their networks remain available and reliable even in the face of hardware failures or other issues. Additionally, by leveraging the redundancy provided by STP protection, core switches can be upgraded or replaced without causing downtime or interrupting network traffic.

Root Guard is an extension of the STP protocol that provides additional security by protecting the root bridge from unauthorized access. The root bridge is the switch that has the lowest bridge ID and is responsible for initiating the STP algorithm. An attacker can potentially change the bridge ID of a switch and force it to become the root bridge, allowing them to manipulate network traffic and access sensitive information.

To prevent this, Root Guard is implemented on switches that are not intended to be the root bridge. When Root Guard is enabled, the switch will block any port that receives a BPDU (Bridge Protocol Data Unit) from a switch with a superior bridge ID to the current root bridge. This prevents any unauthorized switch from becoming the root bridge and ensures that the network topology remains stable.

Root Guard can be particularly useful in environments where network security is a high priority, such as in financial institutions, healthcare facilities, and government agencies. By enhancing the STP protocol with Root Guard, network administrators can prevent unauthorized access to critical network resources and improve overall network reliability.

Root Guard is an essential tool for enhancing the reliability and security of Spanning Tree Protocol in network environments. It provides an additional layer of protection against the Root Bridge Attack and ensures that the network topology remains stable and secure. Network administrators should consider implementing Root Guard in their network infrastructure to prevent potential attacks and improve overall network performance.

In conclusion, Spanning Tree Protection is a critical technology for ensuring the reliability and availability of network traffic. By enhancing the capabilities of STP and providing faster failover mechanisms, STP protection is particularly well-suited for core switching environments. Network administrators should carefully consider the benefits of STP protection when designing and implementing their network infrastructure, to ensure that their networks remain available and reliable at all times.

Here are the Cisco IOS commands to secure STP and enable Root Guard:

Enable STP:

switch(config)# spanning-tree mode rapid-pvst

Enable PortFast on access ports:

switch(config)# spanning-tree portfast default
switch(config)# interface interface-id
switch(config-if)# spanning-tree portfast

Enable BPDU Guard on all access ports:

switch(config)# spanning-tree portfast bpduguard default

Enable Root Guard on all non-root bridge ports:

switch(config)# spanning-tree guard root

Verify that Root Guard is enabled:

switch# show spanning-tree interface interface-id
The output should display the "Root guard" status as enabled.

By implementing these Cisco IOS commands, you can secure STP and enable Root Guard to protect against unauthorized access and maintain network stability. It is important to regularly monitor and review the STP configuration to ensure that it is properly secured and optimized for your network environment.

Cisco has some good recommendations – https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

This article How to Connect GNS3 to a Physical Network is a no nonsense step by step guide to setting up a full hands on GNS3 lab for the serious network engineer or student. This How to Connect GNS3 to a Physical Network lab is what it says on the tin. Routing, Switching, Firewall Security, Infrastructure, Virtualisation and Internet all made possible by this advanced lab created by some of the smartest network engineers of today.

How to Connect GNS3 to a Physical Network | Connecting Switch Uplink Interfaces (Introduction)

Trust me, we understand your frustration. You really want a handson lab but GNS3 has some gotcha’s, and it’s no longer economically efficient to have a lot of kit so what do you do? Thank God, we have the answer in the steps below. It will cost you next to nothing but guaranteed to give you the full blown hands-on experience without any compromises.

You will be able to create a myriad of labs, change network topologies without much effort and extra configuration. This lab is suitable for a business, university or individuals. It’s vendor agnostic and so can support your Next-Generation ASA Firewall, Sonic Wall, Juniper, Palo Alto, HP Aruba Switch, Cisco Catalyst Switches, Windows Servers and to make it even more interesting, if it has an interface, you can lab it.

The advantage here is that you can practice full switching and routing protocols like HSRP | GLBP | VRRP, STP, OSPF, EIGRP to name but a few.

Let us put together our kit list (Some of these you may already have at your disposal)

Hardware Kit

• 1 x Desktop Computer or Workstation with Expansion Slots (If you own a laptop, you will need USB C to Ethernet Adapters) – Not truly reliable hence the workstation preference.
• 2 x 4 Port PCI-E 1Gbps Network Interface Card | 2 Access Buildings
• 2 x Access Switches | Cisco Catalyst Switches or HPE Aruba Switches | Vendor Agnostic

Software and Operating System

• Microsoft Windows
• Linux Ubuntu
• GNS3 Application

Figure 1.0 – Connect Network Device to Ethernet Adapter

Figure 1.1 – 4 Port Ethernet Adapter

Figure 1.2 – Connect Switch Uplink Interfaces

Interface 47 and 48 are our respective uplinks to Core Routers R1 and R2 respectively. To make the interface layer 3 or routed, the following configuration converts them to routed interfaces.

Example of Configuration

switch(config)# interface Fa0/47 
switch(config-if)# no switchport 
switch(config-if)# 

switch(config)# interface Fa0/48
switch(config-if)# no switchport 
switch(config-if)# 

Figure 1.3 – Uplinks of Switches 1 and 2

Access Switch 1

switch(config)# interface 47 
switch(config-if)# untagged vlan 1008
switch(config-if)# ip address 172.16.254.10

switch(config)# interface 48
switch(config-if)# untagged vlan 1012
switch(config-if)# ip address 172.16.254.14

Access Switch 2

switch(config)# interface 47 
switch(config-if)# untagged vlan 1016
switch(config-if)# ip address 172.16.254.18

switch(config)# interface 48
switch(config-if)# untagged vlan 1020
switch(config-if)# ip address 172.16.254.22

Figure 1.4 – Switches Uplinks at back of Desktop connected to Physical Interfaces

Step 1 – Connect Ethernet Interfaces to Desktop Network Adapters

How to Connect GNS3 to a Physical Network | Configuring Physical Network Interfaces (Part 1)

Identify Interfaces on your computer

Command: nmcli dev status

# nmcli dev status
DEVICE  TYPE      STATE         CONNECTION
eth1    ethernet  connected     eth1
eth0    ethernet  connected     eth0
eth2    ethernet  disconnected  --
lo      loopback  unmanaged     --

Command: ifconfig

eno1: flags=4099  mtu 1500
        ether 40:a8:f0:49:7b:0a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7c00000-f7c20000  

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 24697  bytes 24138502 (24.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24697  bytes 24138502 (24.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 2 – Configure IP Addresses for Uplink Interfaces

How to Connect GNS3 to a Physical Network | Configuring IP Addresses for Network Interfaces (Part 2)

Step 3 – Connect Uplinks to Core Routers

How to Connect GNS3 to a Physical Network | Connecting Switch Uplinks to Core Routers (Part 3)

Step 4 – Test Connectivity with Pings

How to Connect GNS3 to a Physical Network | Test Connectivity with ICMP Pings (Part 4)

Download the full lab here: Connecting GNS3 to Physical Network – Multilayer Network Access Design

Related Post:How to Connect GNS3 to Internet

Cisco Identity Services Engine (ISE)
Cisco ISE is a comprehensive NAC solution that provides centralized policy control and enforcement. It integrates with a wide range of third-party security solutions and can be deployed on-premise or in the cloud. With its extensive policy management capabilities and real-time monitoring and reporting features, Cisco ISE is an excellent choice for organizations of all sizes.

Fortinet FortiNAC
FortiNAC is a powerful NAC solution that offers granular visibility and control over network access. It can be integrated with a variety of endpoints, including IoT devices, and can be deployed in cloud, on-premise, or hybrid environments. With features such as automated threat response and continuous compliance monitoring, FortiNAC is an excellent option for businesses that need advanced network security.

Aruba ClearPass
Aruba ClearPass is a user-friendly NAC solution that provides policy-based access control for wired and wireless networks. It integrates with a variety of security solutions and can be deployed in cloud, on-premise, or hybrid environments. With features such as self-service onboarding and advanced threat detection, Aruba ClearPass is an ideal solution for businesses that need a comprehensive yet easy-to-use NAC solution.

Pulse Secure Pulse Policy Secure
Pulse Policy Secure is a comprehensive NAC solution that provides real-time visibility and control over network access. It can be deployed on-premise or in the cloud and integrates with a variety of endpoints and security solutions. With its advanced threat detection and remediation capabilities, Pulse Policy Secure is an excellent choice for businesses that require high levels of network security.

ForeScout CounterACT
ForeScout CounterACT is a powerful NAC solution that provides real-time visibility and control over network access. It can be integrated with a wide range of security solutions and can be deployed on-premise or in the cloud. With features such as automated threat response and continuous compliance monitoring, ForeScout CounterACT is an excellent choice for businesses that need advanced network security.

In conclusion, Network Access Control solutions are critical for protecting the integrity of an organization’s network infrastructure. The above-mentioned solutions are some of the best available in the market, each offering unique features and capabilities. Organizations should carefully evaluate their requirements and choose the NAC solution that best fits their needs. By doing so, they can ensure that their network remains secure and their business operations continue to run smoothly.

Develop a NAC Policy
The first step in implementing effective NAC is to develop a policy that outlines the rules and procedures for granting network access. This policy should be tailored to your organization’s specific needs and take into account factors such as user roles, devices, and applications. It should also include clear guidelines on how to enforce the policy, such as the use of firewalls and intrusion detection systems.

Identify and Authenticate Users
To ensure that only authorized users have access to your network, it is important to implement strong authentication methods. This can include usernames and passwords, two-factor authentication, or biometric authentication. In addition, it is important to regularly review and update user access privileges to ensure that they align with current job responsibilities.

Segment Your Network
Segmenting your network can help to limit the spread of malware and other security threats. By dividing your network into smaller subnets, you can control which users and devices have access to different areas of the network. This can help to prevent lateral movement by attackers and limit the impact of any security breaches.

Monitor and Enforce NAC Policies
Monitoring and enforcing your NAC policies is critical to maintaining the security of your network. This can include monitoring user activity, network traffic, and device usage. By analyzing this data, you can identify any suspicious activity and take appropriate action to mitigate any potential threats.

Regularly Update Your NAC Solution
Network security threats are constantly evolving, which means that your NAC solution needs to be updated regularly to stay effective. This can include updating software and firmware, adding new security features, and patching any vulnerabilities that are identified. Regular testing and validation of your NAC solution can help to ensure that it is functioning as intended and providing adequate protection for your network.

In conclusion, implementing effective network access control is critical to maintaining the security of your organization’s network. By following these best practices, you can help to prevent unauthorized access, limit the spread of malware, and protect sensitive data. Remember to regularly review and update your NAC policies and solutions to stay ahead of the evolving threat landscape.

SANS Institute has a great paper on the above subject.

Network Access Control (NAC) is a crucial component of modern-day network security that allows organizations to restrict access to their networks and systems to authorized users and devices. NAC helps to ensure that only trusted devices and users can access sensitive information, preventing potential security breaches and protecting critical data. In this article, we’ll take a closer look at what NAC is, how it works, and why it’s essential for organizations to implement it as part of their overall cybersecurity strategy.

What is Network Access Control (NAC)?

Network Access Control (NAC) is a security technology that controls access to network resources based on predefined policies. NAC systems are designed to verify the identity of devices and users attempting to access a network, ensuring that only authorized users and devices are granted access. NAC systems are typically deployed at the network’s edge, such as firewalls or switches, and are used to enforce security policies and restrict access to network resources.

How Does NAC Work?

NAC works by controlling access to network resources based on predefined policies. Before a device or user is granted access to a network, they must be authenticated and authorized. NAC systems use a variety of methods to verify the identity of devices and users, including digital certificates, biometric authentication, and two-factor authentication.

Once a device or user has been authenticated, the NAC system checks their compliance with security policies, such as antivirus software updates and patch management. If the device or user is compliant, they are granted access to the network. If not, they are denied access or placed in a quarantine zone until they can be brought into compliance.

Why is NAC Important for Organizations?

NAC is essential for organizations because it helps to ensure that only authorized users and devices can access their networks and systems. This is particularly important for organizations that handle sensitive data, such as healthcare providers, financial institutions, and government agencies.

NAC helps to prevent security breaches by ensuring that only trusted devices and users can access sensitive information. It also helps to enforce security policies and ensure that devices are up to date with the latest security patches and antivirus software updates.

Furthermore, NAC helps organizations to comply with regulatory requirements, such as HIPAA and PCI DSS. Compliance with these regulations is essential for organizations that handle sensitive data, and failure to comply can result in severe financial penalties and reputational damage.

Implementing NAC in Your Organization

If you’re considering implementing NAC in your organization, there are several factors to consider. First, you’ll need to assess your organization’s security needs and determine which NAC solution is best suited to your needs. There are several NAC solutions available, ranging from basic solutions to more advanced systems that integrate with other security technologies.

You’ll also need to consider your budget and the resources required to deploy and maintain your NAC solution. NAC solutions can be complex, and you’ll need to ensure that you have the necessary expertise and resources to manage your solution effectively.

In Conclusion

Network Access Control (NAC) is a critical component of modern-day network security that helps organizations to restrict access to their networks and systems to authorized users and devices. NAC helps to prevent security breaches, enforce security policies, and ensure compliance with regulatory requirements. Implementing NAC in your organization can be complex, but it’s essential for organizations that handle sensitive data and want to ensure that their networks and systems are secure.

Juniper has a very interesting article on the above subject.

In this article, we will explore the basics of NAC, including how it works, why it is important, and the key components of a NAC solution.

What is Network Access Control (NAC)?

Network Access Control (NAC) is a security solution that enables organizations to control access to their networks. It provides a way to authenticate users and devices, enforce access policies, and monitor network activity to identify potential security threats.

NAC solutions use a range of techniques to ensure that only authorized users and devices can access the network. These include identity and access management, endpoint compliance checks, and policy enforcement.

How Does NAC Work?

NAC solutions typically include several key components, including:

Endpoint Identification: NAC solutions use various techniques to identify the devices that are attempting to access the network, such as MAC addresses, IP addresses, and user credentials.

Authentication and Authorization: Once an endpoint is identified, the NAC solution will authenticate the user and/or device and verify that it is authorized to access the network.

Policy Enforcement: NAC solutions enforce access policies to ensure that only authorized users and devices can access the network. Policies can be based on a range of factors, such as user identity, device type, and location.

Endpoint Compliance: NAC solutions also check endpoints for compliance with security policies, such as the presence of antivirus software or the latest operating system patches.

Monitoring and Reporting: NAC solutions monitor network activity to detect potential security threats, such as unauthorized access attempts or suspicious network activity.

Why is NAC Important?

Network Access Control (NAC) is critical for maintaining the security and integrity of your network. By controlling access to your network resources, you can prevent unauthorized access and protect sensitive data from theft or loss.

NAC solutions also provide a way to enforce security policies and ensure that all devices on your network are up-to-date with the latest security patches and antivirus software. This reduces the risk of malware infections and other security threats that could compromise your network.

Cisco provides various commands and tools that can be used for Network Access Control (NAC) solutions, endpoint compliance, policy enforcement, network security, authentication and authorization, and identity and access management. Some of the common commands and tools include:

Cisco Identity Services Engine (ISE): This is a comprehensive NAC solution that provides identity and access management, policy enforcement, and endpoint compliance features. It can be managed using various CLI (Command Line Interface) commands, such as “show” commands to display configuration details and “configure” commands to modify the configuration.

Cisco TrustSec: This is a network security solution that provides secure segmentation and policy-based access control. It can be configured using various CLI commands, such as “device-tracking” to enable device tracking and “policy” commands to configure access policies.

Cisco Secure Access Control System (ACS): This is a centralized access control solution that provides authentication and authorization for network devices and users. It can be managed using various CLI commands, such as “aaa” commands to configure authentication, authorization, and accounting policies.

Cisco AnyConnect: This is a VPN solution that provides secure remote access to network resources. It can be configured using various CLI commands, such as “vpn” commands to configure VPN policies and “webvpn” commands to configure web-based VPN access.

Cisco Adaptive Security Appliance (ASA): This is a firewall solution that provides network security and access control. It can be managed using various CLI commands, such as “access-list” commands to configure access control lists and “vpn-filter” commands to configure VPN access policies.

Overall, Cisco provides a wide range of CLI commands and tools that can be used to configure and manage NAC solutions, endpoint compliance, policy enforcement, network security, authentication and authorization, and identity and access management.

Conclusion

Network Access Control (NAC) is a critical component of network security, designed to prevent unauthorized access to your network resources. NAC solutions provide a range of features, including identity and access management, policy enforcement, and endpoint compliance checks, to ensure that only authorized users and devices can access your network.

By implementing a NAC solution, you can reduce the risk of security threats, protect sensitive data, and ensure the integrity of your network. So if you haven’t already implemented NAC in your organization, now is the time to do so.

From the client’s perspective, outside of their local network, they next important piece they deal with is the default gateway. Should the gateway go down, then access to an entire subnet would go down.

To deal with gateway redundancy, we implement a first hop redundancy protocol. There are a number of these technologies on the market and today we shall look at Cisco’s Hot Standby Router Protocol (HSRP) to start with. The others are the Virtual Router Redundancy Protocol (VRRP) and Gateway Load Balancing Protocol (GLBP). Many modern Cisco equipment supports the full flavor of the First Hop Redundancy Protocols.

Understanding First Hop Redundancy Protocols (FHRP)

You connect a computer to your network, it boots up and automatically receives IP Address information from the DHCP Server. There is a piece of information there called the Default Gateway.
The Default Gateway is the router that gets us off our local subnet. Now, imagine that router acting as the default gateway fails, suddenly we are not able to send traffic off the local subnet, the good news is that we can add some redundancy to this scenario through the use of a first hop redundancy protocol. This is the focus of this article Understanding First Hop Redundancy Protocols (FHRP). Specifically we shall be looking at 3 FHRP Protocols, these are HSRP, VRRP and GLBP.

These protocols allows our device(s) to use a backup router to get us off our local subnet whiles still pointing to the same Default Gateway IP Address that we learned via DHCP.

Let’s have a look at the Cisco’s Hot Standby Routing Protocol

Note: HSRP sends its hello messages to the multicast destination 224.0.0.2 (“all routers”) using UDP port 1985.

Equipment Used

Gateway Design and Configuration

Virtual Gateway 1: 10.1.1.1
Virtual Gateway 2: 10.1.1.10

Figure A.1 – Workstation Default Gateway Configured as : 10.1.1.1

Figure A.2 – Workstation Default Gateway Configured as : 10.1.1.10

Figure 1.0 – Understanding First Hop Redundancy Protocols (HSRP) In this high availability architecture diagram, we have the said two routers in active and standby modes with the access switch and workstation configured as per the above setup in Figure A.1.

Operation of HSRP

The Hot Standby Routing Protocol is considered a firt hop redundancy protocol. What does this mean? Look at the pc above in Figure 1.0, it has an IP Address of 10.1.1.120 and a Default Gateway of 10.1.1.1. What is that default gateway? This is typically the IP Address of the router that may get PC off from it’s local subnet to another network, perhaps the internet. This could be information the PC may have learned via DHCP when it joined the network. The router which is its default gateway could become the single point of failure for the PC as when the router fails, the PC may be limited to communicate on its local subnet. It cannot go beyond it’s local subnet. HSRP helps us out with this issue. HSRP is a Cisco proprietary protocol as is GLBP. The industry standard is the VRRP.

The Default Gateway cannot be seen in the Figure 1.0 for Switch 1 or Switch 2. Switch 1 has a layer 3 ip address of 10.1.1.2 and Switch 2 has a layer 3 ip address of 10.1.1.3, So who is servicing packets reaching 10.1.1.10. Well notice the greyed out router in the middle of the diagram, this is normally called the phantom router or logical router. This is the router that the PC is logically using.

HSRP allows one router to serve as the active router and is able to serve packets destined for the 10.1.1.10 and route them the right where they need to go.

. In today’s network you will realise that most of our networking is with Layer 3 Switches which support FHRP. It is a popular practice to see machines point to the Switches as their Default Gateways. These are normally Multi-layer Switches which acts as routers for our FHRP deployment. The IP 10.1.1.1 has a corresponding mac address which the PC has learned using ARP. If Switch 1 went Kaboom!, Switch 2 is able to carry on with the work to serve devices their gateway and access to resources without a down time.

Understanding First Hop Redundancy Protocols (FHRP)

Configuration Time – Configuring an HSRP Group on Router or Layer 3 Switch

In this configuration, we have created Switch Group 1 for both Routers or Layer 3 Switches participating in the HSRP Gateway Redundancy.

Router A or Layer 3 Switch Network Device

Router-A(config)# interface vlan 20
Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
Router-A(config-if)# standby 1 priority 200
Router-A(config-if)# standby 1 preempt
Router-A(config-if)# standby 1 ip 10.1.1.1
Router-A(config-if)# no shutdown

Router B or Layer 3 Switch Network Device

Router-B(config)# interface vlan 20
Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
Router-B(config-if)# standby 1 priority 100
Router-B(config-if)# standby 1 preempt
Router-B(config-if)# standby 1 ip 10.1.1.1
Router-B(config-if)# no shutdown

Perform Load Balancing –
In the previous configuration, Router-A becomes the Active Router serving all users the gateway for their traffic over its uplink whiles Router-B sits there as the Standby HSRP Router with its Uplink idle only waiting for the day of failure which may or may never happen.

Load balancing traffic across two uplinks to two HSRP routers with that single HSRP Group 1 is not possible. There is however a method to achieving this design and that is to use two HSRP groups.

HSRP Group One : Assigns an active router to one router or layer 3 switch
HSRP Group Two: Assigns another active router to the other router or layer 3 switch

With this setup, two different virtual router or gateway addresses can be used simultaneously. The rest of this setup is to make each router or layer 3 switch function as the standby router for its partner’s HSRP Group.

Simply put, each router is the active HSRP router for one group but standby for the other group.

Using a DHCP server, the clients can be cnfigured to have one of the two HSRP group addresses.

Look at the diagram below – Figure 1.1.

Router A is not only the active HSRP router for the HSRP Group 1 (10.1.1.1) but also the standby router for the HSRP Group 2 (10.1.1.10)

Load Balancing

Router-A as Active HSRP Router for HSRP Group 1

Router-A(config)# interface vlan 20
Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
Router-A(config-if)# standby 1 priority 200
Router-A(config-if)# standby 1 preempt
Router-A(config-if)# standby 1 ip 10.1.1.1

Configure Authentication for HSRP Peers

Router-A(config-if)# standy 1 authentication K3y1h4v3Ch05en!

The above authentication is based on PLain-Text HSRP Authentication. These are HSRP messages sent with a plain-text key strong (up to 8 characters) as a simple method to authenticate HSRP peers. Keys have to match to approve peering.

You can use MD5 authentication. The command below helps to achieve this

Router(config)# key chain chain-name
Router(config-keychain)# key key-number
Router(config-keychain-key)# key-string [0 | 7] string
Router(config)# interface type mod/num
Router(config-if)# standby group authentication md5 key-chain chain-name

This configuration makes Router-A Standy HSRP Router for HSRP Group 2

Router-A(config-if)# standby 2 priority 100
Router-A(config-if)# standby 2 preempt
Router-A(config-if)# standby 2 ip 10.1.1.10
Router-A(config-if)# standy 2 authentication K3y1h4v3Ch05en!

Router-B as Standby HSRP Router for HSRP Group 1

Router-B(config)# interface vlan 20
Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
Router-B(config-if)# standby 1 priority 100
Router-B(config-if)# standby 1 preempt
Router-B(config-if)# standby 1 ip 10.1.1.1
Router-B(config-if)# standy 1 authentication K3y1h4v3Ch05en!

This configuration makes Router-B Active HSRP Router for HSRP Group 2

Router-B(config-if)# standby 2 priority 200
Router-B(config-if)# standby 2 preempt
Router-B(config-if)# standby 2 ip 10.1.1.10
Router-B(config-if)# standy 2 authentication K3y1h4v3Ch05en!

Use the following command to display information about the status of either HSRP Groups

Router#show standby [brief] [vlan vlan-id | type mod/num]

Virtual Router Redundancy Protocol (VRRP)

You can never talk about VRRP without mentioning HSRP as that is the proprietary original innovation Cisco created many years ago but since then, the open standard VRRP has become a loved version for many vendors. It is supported by major vendors including Cisco who ships the support in their iOS platforms.

Like with HSRP, VRRP has a configured group that contains a number of routers also known as gateways. In the network design process, an engineer will configure one of the gateways as the master and the other the backup or standby. These terms could be used interchangeably.

In the example we had with the HSRP, the Active Router had an IP address of 10.1.1.2 and the Standby 10.1.1.3. The Virtual Router’s IP address was 10.1.1.1 which was served to clients as the default gateway. In VRRP, the Master Router’s physical IP address of the interface connecting the subnet is used by the clients as a default gateway.

In this example, the Master IP address is : 10.1.1.1 and the Backup or Standby IP address is: 10.1.1.10.

There isn’t a logical IP Address for a Virtual Router as VRRP handles it quite differently. Behind the scenes, the backup router of the VRRP group will communicate with the master gateway and assume the duty of forwarding traffic, should the master router fail due to any known reasons. The IP address used for the VRRP always belongs to the master router which is referred to as the IP address owner. When the Master router recovers, it will take back the duties of routing for that IP address.

It is possible to have multiple VRRP groups on a single subnet, which can be used to spread the load of the traffic coming off of a subnet. However, this must be done manually at the client’s location, by changing their default gateway addresses.

Figure 1.1 – Understanding First Hop Redundancy Protocols (VRRP)

VRRP Router A Load Balancing Configuration
VRRP Group 1

Router-A(config)# interface vlan 20
Router-A(config-if)# ip address 10.1.1.2 255.255.255.0
Router-A(config-if)# vrrp 1 priority 200
Router-A(config-if)# vrrp 1 ip 10.1.1.1

VRRP Group 2

Router-A(config-if)# vrrp 2 priority 100
Router-A(config-if)# no vrrp 2 preempt
Router-A(config-if)#vrrp 2 ip 10.1.1.10

Let’s head over to Router B to perform a similar configuration as per below;

VRRP Router B Load Balancing Configuration

VRRP Group 1

Router-B(config)# interface vlan 20
Router-B(config-if)# ip address 10.1.1.3 255.255.255.0
Router-B(config-if)# vrrp 1 priority 100
Router-B(config-if)# no vrrp 1 preempt
Router-B(config-if)#vrrp 1 ip 10.1.1.1

VRRP Group 2

Router-B(config-if)#vrrp 2 priority 200
Router-B(config-if)# vrrp 2 ip 10.1.1.10

Gateway Load Balancing Protocol (GLBP)
In this article of Understanding First Hop Redundancy Protocols (FHRP), we have looked at the most popular first hop redundancy protocols like the HSRP and VRRP. Are you thinking what the GLBP has to offer?

GLBP is another, you guessed it,Cisco proprietary protocol that can be used for first hop redundancy. The key feature GLBP offers which the first two do not is dynamic load balancing.

With GLBP, unlike HSRP or VRRP, routers that exist within the GLBP group are all active and are forwarding traffic. I prefer this as it only makes economic sense to utilise these routers to achieve great throughput and resource balancing. When a GLBP group is configured, one of the routers within the group will be elected as the Active Virtual Gateway (AVG); each of the other routers will back up the AVG, should it fail due to hardware or any other unforseeable variable. The AVG is responsible for assigning virtual MAC addresses to each of the members of the GLBP group; each of these members is referred to as an Active Virtual Forwarder (AVF). The AVG is responsible for responding to ARP request by subnet devices, and selecting which group’s router will handle the traffic. The IP address of the default gateway is the same across all of the subnet devices; this IP address is virtual. Because load balancing is inherent to this protocol, you will not need to employ multi groups or instances to handle gateway load balancing. When the device ARPs for a MAC address, the AVG will respond with one of the virtual MAC addresses since it’s responsible to creating or assigning the mac addresses to begin with. This way, the AVG is able to control which router will handle the load of each individual subnet device. There is a great deal to this amazing protocol but it is not an open standard and so can only be enjoyed by Cisco customers. Cisco has an excellent documentation on their proprietary Gateway Load Balancing Protocol.

How to Configure OSPF Step by Step
The Ultimate Guide to Understanding and Configuring OSPF

Figure 1.0 – Routed Network Design Firewall and Core Switch Configuration Setup (Click on Image to Zoom In)

Say no to something at least in your life and for us, we say no to end to end vlans focusing on configuring the routed enterprise campus network which is the enterprise network so much has been talked about. The Routed Enterprise Campus Network is the glorious loop free layer 3 routed campus design which keeps legacy layer 2 controls at bay. The likes of Spanning Tree Protocols do not have to be utilised to keep your network topology loop free. Routed networks is the answer to secured networking with much more control and segmentation abilities. Let us dive in to today’s article on Configuring the Routed Enterprise Campus Network. Let’s begin!

In this design, I have the following network devices;

The idea is to create a local vlan unique for each building with no reference of that vlan on the Core Switches allowing them to purely perform routing which keeps that core layer 3.

VLAN = Subnet = Closet

In the following configuration, I am on a Cisco Catalyst Switch and at the interface FastEthernet 1/1

How to configure a switchport as a routed port. The “no switchport” command makes the switch port converted to a routed port and that automatically enables IP Addressing. See the configuration example below;

SW1(config)# interface fastethernet 1/1
SW1(config-if)#no switchport
SW1(config-if)#ip address 1.1.1.6 255.255.255.252
SW1(config-if)#no shut

If you use a HP Platform, you will not be able to convert the switchport to a routed port and so this is what you do, you create a vlan with SVI for the uplinks like the following example;

Core Switch Configuration
The following configuration tells the Core Switch how to reach the Building 30 Subnet which is located via the 1.1.1.8/30 subnet.

vlan 2
   name "Downlink to Building 20"
   untagged 48
   ip address 1.1.1.9 255.255.255.252
   exit

Access Switch Configuration
This configuration tells the Access Switch to reach the Core Switch over the 1.1.1.8/30 subnet. Because HPE Aruba does not supported routed switchports, the interfaces participating in this interlink are placed in a dedicated vlan.

vlan 2
   name "Uplink to Core Switch A"
   untagged 48
   ip address 1.1.1.10 255.255.255.252
   exit

Figure 1.1 – Routed Network Design Access Switch to Core Switch Configuration Setup (Click on Image to Zoom In)

Figure 1.2 – Routed Network Design Access Switch Local VLANS to Core Switch Configuration Setup (Click on Image to Zoom In)

Join Me in this Lab as I completely configure a Routed Enterprise Campus Network
Let’s begin by configuring the firewall’s interfaces facing the following Inside and Outside security zones.

A quick breakdown of the interfaces and how they connect to their relevant uplinks

• interface GigabitEthernet1/8 – Outisde Zone (ISP)
• interface GigabitEthernet1/1 – Primary Core Switch
• interface GigabitEthernet1/2 – Secondary Core Switch

Cisco ASA 5506-X Firewall Configuration Steps

Configure interface GigabitEthernet1/8 – Outbound Uplink to ISP

!
interface GigabitEthernet1/8
 description "Outside Interface to BT ISP"
 nameif outside
 security-level 0
 ip address 192.168.1.100 255.255.255.0
!

Configure interface GigabitEthernet1/1 – Downlink Interface to Core Switch A

!
interface GigabitEthernet1/1
 description "Downlink Interface to Core Switch-A  Interface"
 nameif primary-uplink
 security-level 100
 ip address 10.100.100.1 255.255.255.252
!

Configure interface GigabitEthernet1/2 – Downlink Interface to Core Switch B

!
interface GigabitEthernet1/2
 description "Downlink Interface to Core Switch-B  Interface"
 nameif secondary-uplink
 security-level 100
 ip address 10.200.200.1 255.255.255.252

Let’s enable SSH Access from our Private Network

crypto key generate rsa general-keys modulus 2048
username cisco password cisco
aaa authentication ssh console LOCAL
ssh version 2
ssh 172.0.0.0 255.0.0.0 primary-uplink

Configure Routes to the Internet and Internal Core Network Infrastructure

route outside 0.0.0.0 0.0.0.0 192.168.1.254 
route primary-uplink 172.16.0.0 255.255.0.0 10.100.100.2  1 <--[Metric 1]
route secondary-uplink 172.16.0.0 255.255.0.0 10.200.200.2 2 <--[Metric 2]

The above configuration lines addresses inter routing to and from the subnets behind the core switch infrastructure. Access Switch A has the Local VLAN Subnet 172.16.20.0/24 whereas Access Switch B has the Local VLAN Subnet of 172.16.30.0/24.

Remember that in a routed design, VLAN = Subnet = Closet

Network Object Group and NAT

!
object network primary-uplink
 subnet 10.100.100.0 255.255.255.252

object network secondary-uplink
 subnet 10.200.200.0 255.255.255.252

Configure Network Address Translation

nat (primary-uplink,outside) after-auto source dynamic any interface
nat (secondary-uplink,outside) after-auto source dynamic any interface

Core Switch A Configuration

Core-Switch-A# show vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  2       Downlink to Building 20          | Port-based No    No
  3       Downlink to Building 30          | Port-based No    No
  100     Data Center Infrastructure       | Port-based No    No
  111     Uplink to Edge Firewall for WAN  | Port-based No    No
 

Data Centre VLAN Configuration

vlan 100
   name "Data Center Infrastructure"
   untagged 37
   ip address 10.10.10.1 255.255.255.0
   exit

Uplink to Firewall

Core-Switch-A# show run vlan 111
Running configuration:
vlan 111
   name "Uplink to Edge Firewall for WAN"
   untagged 47
   ip address 10.100.100.2 255.255.255.252
   exit

Down-links to Access Switches

vlan 2
   name "Downlink to Building 20"
   untagged 48
   ip address 1.1.1.9 255.255.255.252
   exit
vlan 3
   name "Downlink to Building 30"
   untagged 46
   ip address 1.1.1.5 255.255.255.252
   exit

Configuring Default Routing to the Firewall

ip route 0.0.0.0 0.0.0.0 10.100.100.1

Configuring Layer 3 Routing to Local VLANS

Core-Switch-A# show run | inc ip rout
ip route 172.16.20.0 255.255.255.0 1.1.1.10 metric 2
ip route 172.16.30.0 255.255.255.0 1.1.1.6
ip routing
Core-Switch-A#

Core Switch B Configuration

Core-Switch-A# show vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

 VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  12      Uplink to Building 20            | Port-based No    No
  13      Uplink to Building 30            | Port-based No    No
  100     Data Center Infrastructure       | Port-based No    No
  101     Uplink to Firewall               | Port-based No    No
  121     Interlink Connection to Switch B | Port-based No    No

 

Uplink to Firewall

Core-Switch-A# 
vlan 101
   name "Uplink to Firewall"
   untagged 35
   ip address 10.200.200.2 255.255.255.252
   exit

Downlinks to Access Switches

vlan 12
   name "Uplink to Building 20"
   untagged 40
   ip address 2.2.2.9 255.255.255.252
   exit

vlan 13
   name "Uplink to Building 30"
   untagged 39
   ip address 2.2.2.5 255.255.255.252
   exit

Configuring Default Routing to the Firewall

ip route 0.0.0.0 0.0.0.0 10.200.200.1

Configuring Layer 3 Routing to Local VLANS

ip route 172.16.20.0 255.255.255.0 2.2.2.10 metric 2
ip route 172.16.30.0 255.255.255.0 2.2.2.6
ip routing

Building 20 Access Switch Configuration

Building-20(config)# show vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

 VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  2       Uplink to Core Switch A          | Port-based No    No
  12      Uplink to Core Switch B          | Port-based No    No
  20      Building 20 Data Network         | Port-based No    No



Building-20(config)#

Enable IP Routing and Default Route

ip route 0.0.0.0 0.0.0.0 1.1.1.9
ip route 0.0.0.0 0.0.0.0 2.2.2.9 metric 2

VLAN Infrastructure Design Configuration

vlan 2
   name "Uplink to Core Switch A"
   untagged 48
   ip address 1.1.1.10 255.255.255.252
   exit

vlan 12
   name "Uplink to Core Switch B"
   untagged 40
   ip address 2.2.2.10 255.255.255.252
   exit

vlan 20
   name "Building 20 Data Network"
   tagged 47
   untagged 1-12
   ip helper-address 10.10.10.100
   ip address 172.16.20.254 255.255.255.0
   exit

Building 30 Access Switch Configuration

Building-30(config)# show vlans

 Status and Counters - VLAN Information

  Maximum VLANs to support : 256
  Primary VLAN : DEFAULT_VLAN
  Management VLAN :

  VLAN ID Name                             | Status     Voice Jumbo
  ------- -------------------------------- + ---------- ----- -----
  1       DEFAULT_VLAN                     | Port-based No    No
  3       Building 30 Uplink to Core A     | Port-based No    No
  13      Building 30 Uplink to Core B     | Port-based No    No
  30      Building 30 Data Network         | Port-based No    No

Enable IP Routing and Default Route

ip route 0.0.0.0 0.0.0.0 1.1.1.5
ip route 0.0.0.0 0.0.0.0 2.2.2.5 metric 2
ip routing

Show Local VLAN Brief

vlan 3
   name "Building 30 Uplink to Core A"
   untagged 46
   ip address 1.1.1.6 255.255.255.252
   exit

vlan 13
   name "Building 30 Uplink to Core B"
   untagged 39
   ip address 2.2.2.6 255.255.255.252
   exit

vlan 30
   name "Building 30 Data Network"
   untagged 1-12
   ip helper-address 10.10.10.100
   ip address 172.16.30.254 255.255.255.0
   exit

Perform Tests from Workstation

Download Full Working Configurations

1. Access Switch Building 20
2. Access Switch Building 30
3. Core Switch A
4. Core Switch B
5. Firewall

See what Cisco has to say on the topic Configuring the Routed Enterprise Campus Network.

Other Related Articles:

Understanding VLANS for CCNP Switch
IEEE 802.1X Authentication and Dynamic VLAN Assignment with NPS Radius Server

Technologies Used In Our Scenario today to deploy Network Device Management with RADIUS Authentication using Windows NPS are the following;

Network Equipment

• HP Aruba 2920
• Cisco Catalyst 2960
• Cisco ASA 5505 Firewall

You have heard many say AAA is the best security model for user access and management to network devices. Well, it is and as a good professional practice, securing network devices using the Triple A process meets many best security practices of our day.

Authentication

Authentication is the first process which provides a way of identifying a user ho requires access to network resource, typically by having the user enter a valid user name and password before access is granted. The process of authentication relies on each user requiring access to having a unique set of criteria for gaining the appropriate access desired. The AAA server which in our case is the Microsoft Network Policy Server compares a user’s authentication credentials with the user credentials stored in a database which in our case is the Windows Active Directory. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Authorisation

Now that the user has been successfully authenticated, a user must gain authorisation for doing certain tasks. After logging into a network device for instance, the user may try to issue commands. The authorisation process determines whether the user has the authority to issue such commands. Authorisation simply is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorisation occurs within the context of authentication. Once you have authenticated a user, they may be authorised for different types of access or activity.

Accounting

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorisation, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) which we have used the Microsoft NS server for in our deployment.

Network Device Management with RADIUS Authentication using Windows NPS Step by Step Guide.

Step 1: Configure Active Directory Infrastructure

Specify Name for Security Group

Add Network Administrators to Group Created

Configure NPS Server : IEEE 802.1X Authentication and Dynamic VLAN Assignment

Step 2: Configure RADIUS Infrastructure

Create RADIUS Client

Create RADIUS Client and Enable RADIUS Standard

Create Network Policy

Create Policy – Conditions

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

Create Policy Constraints – Authentication Methods

Create Policy Constraints – NAS Port Type Virtual(VPN)

Create Policy Settings – Standard Attributes

Framed-Protocol: PPP
Service-Type: Administrative

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Network Policy – NAP Enforcement and Auto Remediation

Network Policy Overview

Network Policy Condition

Condition      Value
------------   ---------------------
Windows Groups: Domain\Security Group
Authentication Type: PAP

Network Policy Settings

Create Connection Request Policy

Connection Request Policy Conditions NAS Port Type Virtual VPN

Step 3: Configure Network Devices for RADIUS Authentication

For Cisco Devices – Create a Network Policy like the above but additionally include the following setting.

Under Vendor Specific we need to add to a Cisco-AV Pair to tell the router to go to privilege level 15, select next when you add the “shell:priv-lvl=15” in the Cisco-AV.

shell:priv-lvl=15 

Configuring AAA on Cisco IOS

aaa new-model
radius-server host 172.16.4.192 auth-port 1645 acct-port 1646 key YOUR_SECRET_KEY
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface Vlan124
line con 0
line vty 0 4
line vty 5 15

Configuring AAA for Cisco ASA

aaa-server RADIUS protocol radius
aaa-server RADIUS host 172.16.4.192 key YOUR_SECRET_KEY
radius-common-pw YOUR_SECRET_KEY
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

Enable and Specify RADIUS Authentication Server

radius-server host 172.16.4.192 key "YOUR_SECRET_KEY" acct-port 1646 auth-port 1645
radius-server retransmit 2

Enable SSH Login via RADIUS

aaa authentication ssh login radius local
aaa authentication ssh enable radius local

Enable Web Login via RADIUS

aaa authentication web login radius
aaa authentication web enable radius
aaa authentication web-based peap-mschapv2

Enable Authentication and Accounting Parameters

aaa accounting commands interim-update radius
aaa authentication num-attempts 7
aaa authentication login privilege-mode

PS: The following command is what will get everything working for you as without it; you will get the error below;

Access denied: no user’s authorization info supplied by the RADIUS server

Golden Command to allow SSH Sessions to Switch

aaa authorization commands none

Verify and Troubleshoot

Check Switch RADIUS Authentication

Aruba-Edge-Switch# show radius authentication

 Status and Counters - RADIUS Authentication Information

  NAS Identifier           : Aruba-Edge-Switch
  Invalid Server Addresses : 0
                  UDP
  Server IP Addr  Port  Timeouts   Requests   Challenges Accepts    Rejects
  --------------- ----- ---------- ---------- ---------- ---------- ----------
  172.16.4.192    1645  0          66         0          47         19

Check Recent SSH Logins

Aruba-Edge-Switch# show authentication last-login
Username             Priv  Last Login           Last Login IP Address    
--------------------------------------- -----  -------------------
--------------------------------------- -----  -------------------
 esmith             Mgr   2019-03-21 13:18:28  172.16.122.120
 jarif              Mgr   2019-03-21 09:56:57  172.16.122.196
 rjenson            Mgr   2019-03-21 13:52:40  172.16.122.109
 dplomar            Mgr   2019-03-21 10:51:28  172.16.122.109

On Microsoft NPS Server 2012 R2 – Launch Events Viewer

Check Authentication Informational Log Reporting

Check Event Logs

Network Policy Server granted access to a user.

User:
	Security ID:			MercuryLabs\soppong
	Account Name:			soppong
	Account Domain:			MercuryLabs
	Fully Qualified Account Name:	MercuryLabs\soppong

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:	-
	Calling Station Identifier:	172.16.122.109

NAS:
	NAS IPv4 Address:		172.16.122.19
	NAS IPv6 Address:		-
	NAS Identifier:			Aruba-Edge-Switch
	NAS Port-Type:			Virtual
	NAS Port:			-

RADIUS Client:
	Client Friendly Name:		Aruba-Switch-Auth-Corp
	Client IP Address:		172.16.122.19

Authentication Details:
	Connection Request Policy Name:	Aruba-Switch-Access
	Network Policy Name:		Aruba-Switch-Corp-Policy
	Authentication Provider:	Windows
	Authentication Server:		NPS-Server.expertnetworkconsultant.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:	-
	Logging Results:		Accounting information was written to the local log file.

Quarantine Information:
	Result:				Full Access
	Session Identifier:		-

I hope you have enjoyed this article on Network Device Management with RADIUS Authentication using Windows NPS.

Follow the following links for further understanding of the topic:

• Cisco
• Microsoft