Design & configuration for fixed port 802.1x authentication via the Hyper-V switch

Introduction

In this article, I share my first design & configuration for fixed port 802.1x authentication via the Hyper-V switch. This is geared especially toward developers and engineers. These are a mixture of internal staff and contractors, using AD joined as well as BYOD clients. The gist of this article is actually you need to learn about networking, 802.1x, RADIUS/NPS. You can just consider the Hyper-V switch as an unmanaged switch in most scenarios here.

In a previous blog 802.1x Support with the Hyper-V switch is here!, I shared how you can now enable 802.1x for use with the Hyper-V switch in Windows 10 1809 and Windows Server 2019 or later. Note that this a requirement for the Hyper-V host only, lower OS versions of the guests are fine.

Enabling is as simple as adding a registry key and rebooting the host.

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CURRENTControlSet\Servcices\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f

The existing situation

In the HQ and branch offices there are VLANs for AD joined fixed port clients, AD joined Wi-Fi clients (SSID CORP-WIFI), and a guest VLAN for non-authenticated device both on Wi-Fi (SSID GUEST-WIFI) and fixed ports. These VLANs are untagged and are on physical access ports (authenticated, i.e. AD joined and non-authenticated, i.e. non-AD joined) on the switch. Or they are different SSID on the WAP.

When a non-authenticated client connects to an authenticated port, Radius authentication fails but the port and as such the client is given access to the guest VLAN. It’s functionally the same as for the unauthenticated ports on guest VLAN.

There are also ports that are authenticated and will not provide guest VLAN access but discard the traffic or even shut down the port when authentication fails. These are in more security-focused parts of the branch offices.

The goal

We wanted to have this functionality available to the developers running Hyper-V. It needs to work for both authenticated and non-authenticated physical clients as well as VMs. Also, we need to provide a solution for when the host has only one NIC (physical or wireless) or multiple (1 or more physical, more wireless). In the case of a desktop with only one NIC, the management vNIC has to authenticate for the host as well as for the VMs.

When you have a wireless NIC such as laptops this also works (bridge). When you dedicate a docking station ethernet port for the vSwitch you’re good to go as well but can also use wireless for the host and the physical NIC for the vSwitch. The same principles work both with AD joined and non-AD joined physical clients. This has been an issue with Hyper-V as the vSwitch did not support EAPoL and authentication was impossible.

The design and configuration

The lay of the land

I have this running in the lab with various PowerConnect switches. These are older 2800 and 5400 series as well as the 5500 series and the N2000 series. It is also in production at one organization with the 5500 series and soon also one with N2000 series.

A functional 802.1x infrastructure for both wired and wireless clients is assumed. This is not an article about configuring that. Many of you have the CA/PKI, NPS/RADIUS, GPO (cert auto enroll, wired/wireless client config) running. I have it in the lab and it’s based on computers certs as well as in production environments. If you don’t, you’ll need to take care of that first.

My lab NPS/radius reauthenticating my guest VM on a Windows 10 1809 Hyper-V host every 5 minutes (for demo purposes). Note the dynamic VLAN assignment in the NPS network policy.

Considerations

There are multiple ways to achieve a solution. The idea, however, is to avoid anything but access ports toward clients unless unavoidable. So, no trunk, general or however you preferred vendors call it.

To achieve our goals, we configure the physical switch ports as follows:

  • We need to multi-session authentication (we have multiple devices attached to one port that all need to and must authenticate or fail. This does mean there is no option to shut down that port on failure.
  • We leverage dynamic VLAN association (NPS Policy) to move successfully authenticated ports into the corporate VLAN.
  • We leverage the guest VLAN to move unauthenticated ports into so those devices get minimal network access and internet connectivity. This can be a dedicated VLAN for that purpose. Call it what you want (Quarantine, VM-Guest, Isolated).
  • The switch port mode remains in access mode and is not in general/trunk/hybrid mode. Now depending on the switch that might not be possible. In the old budget PowerConnect 2808, the port is in general mode actually and you configure trunk or access via PVID and untagged/tagged allowed VLANs. Let’s keep it simple here, whatever goes on behind the scenes we don’t configure the port as a trunk or so for this unless we really have to.
  • It avoids having to use an unauthenticated VLAN per se (which would involve tagging and I don’t want to go there with the developers).
  • This approach leverages what is already there and requires only port reconfiguration as needed for 802.1x
  • If we need to disable port auth for troubleshooting RADIUS you can opt to either put the access port on the guest or even (whatever suits the needs better and is allowed) on the corporate VLAN by default.

Dynamic VLAN assignment & RADIUS/NPS policies rock here!

But based on the group membership I can give the Hyper-V Host or VM attached to the vSwitch going to that port a different VLAN via Dynamic VLAN assignment in the RADIUS network policies. You can get creative here (infra, dev, test, acceptance, …. they can be in different VLANs when required). Below is lab implementation of a scenario where people bring their own client with Hyper-V. When they need VMs that authenticate with AD that is possible while other VMs get a guest network assigned

I offer this to both internal and external employees now and reduce dependencies on workarounds, physical security and “hope” nothing bad connect to the wire. This is a sweet setup for freelancers, contractors, consultants & employees alike. Combine this with Veeam Agent for Windows 3.0 to protect your client Hyper-V host and VMs. Sweet! It has been a driving factor to upgrade for some of them.

Conclusion

802.1x via the Hyper-V switch works very well. The intricacies are the same as with 802.1x in a purely physical environment that has a mix of managed/non-managed switches going to clients. I’ll repeat myself here and state the same as I did in my other blog post. The point is you’ll have to wrap your head around port authentication with 802.1x and its various options, permutations on the switches and radius servers.

I normally deal with Windows NPS for the radius needs and the majority of my sites have DELL campus switches. But I find my way around any other model as well both big and small names.

Depending on the needs of the users (developers, IT Pros, engineers) for your VMs you will have to configure port authentication a bit differently and you’d better either own that network or have a willing and able network team to work with. Where this is running in production POC I’m in charge of the entire stack so I can move fast, effective, efficient and offer great value for money. One week after 802.1x support with the Hyper-V switch going public. That is agility, that is speed, that is IT at its best.

Speaking at Cloud & Datacenter Conference Germany 2019 and the pre-day

I’m happy to share I have a talk on SMB Direct and RDMA at the Cloud & Datacenter Conference Germany 2019. I’m also speaking for the Hyper-V and Hybrid community Germany the day before the conference where we introduce our first experiences with Persistent Memory (PMEM). This will drive home, more than ever, the need for high speed, low latency and offloaded networks. I am looking forward to seeing you there and I’m honored Carsten is having me over again for this best of breed conference!

Register here: https://www.cdc-germany.de/

There is still time to register for both events if you’d like to attend. Please so do here
https://www.cdc-germany.de/ for the Cloud & Datacenter Conference Germany 2019.

Spline

Back in 2010, I introduced the first 10Gbps networking into my solutions. Cost effective and focused on single rack needs. I built my first Leaf-Spine based network somewhere in 2011-2012. Nothing major, but it did lead to the most cost-effective and efficient redundant 10Gbps network in every rack. The solution enabled cross rack and cross row connectivity (3 rows of 3 racks). As we were prepping for Windows Server 2012 we made sure we had DCB in that design covered. We loved it.

We isolated all the needs of the ops team from corporate networking to enable them “to own the stack”. Ops remained the owner of the entire stack. Network, storage, virtualization, data protection, core infrastructure etc. That meant we could do RoCE right and got the networking done at a great value for money ratio. Owning the stack has always been the way to avoid expensive silos. The only people who didn’t like it were those that made money or derived political power by controlling resources. We got shit done fast, efficient and effective at prices well below what people paid for a lot less “service”.

The leaf-spine design has remained a favorite of mine. Perfection is not of this world leaf-spine has challenges just like anything, but that doesn’t distract from the usability to build great solutions. One challenge that always remains is real fair load balancing, congestion, blocking … Depending on your size with a decent deployment you might never know of these challenges let alone how they are solved. With the extension of the network to the clouds, it remained a solid choice in a hybrid world. It also formed the basis for more cloud-like network designs on-premises. Some variations on leaf-spine exist and design choices depend on the context, needs, and possibilities.

Somewhere in those years the term “spline” made its appearance in the leaf-spine world and I was puzzled for a moment. What is a Spline? Is nothing more than the smallest possible form of a leaf-spine in a single tier, which is quite popular as it can integrate into existing environments by itself and enable scenarios some big corporations network team won’t or can’t ever enable. Basically, what I did in the early days to get 10Gbps into existing environments without too much pushback. So, it’s both a technical solution and a diplomatic tool as well as a nice marketing term.

What is Spline?

As said, a Spline is nothing more than the smallest possible form of a leaf-spine. That comes down to only 2 switches in a single tier. In this single tier, these 2 switches combine the roles of the leaf and spine, hence the name “Spline”. This is a nice marketing term for two small switches with ample of ports & bandwidth for a small sized deployment were leaf-spine would be overkill and cost prohibitive.

The switches are 1 or maximum 2 units high-density multi-rate devices. This could be anything between 1/10/25/40/50/100 Gbps depending on the model and vendors, available modules and cables used. It’s a viable choice for smaller deployments when one can have some margin for growth and wiggle room.


Mellanox SN2010 & SN2100 are prime example of great switches for a Spline


The modular DELL S6100 ON is another example of a switch to build splines with.

A single tier provides for the lowest latency possible by definition, no tiers need to be crossed – it doesn’t get any better. Predictable (it is always the same) distance and bandwidth is there as, again, there are no tiers to cross.

You can use layer 2 (MLAG, VLT, vPC) or layer 3 (ECMP) interlinks. You don’t lose any flexibility or options here. As such, it will work with traditional virtualization, containers, HCI and with Routing on Host, network virtualization.

What you lose is scale out. You need the leaf-spine to scale out bandwidth and port count in a flexible way. You can scale up by using bigger switches.

Top use cases for spine

Actually, many smaller solutions probably use a “spine” with layer 2 networking for S2D deployments. It’s easy to get 1 to 4 of S2D clusters in a rack depending on the size of the clusters and the number of ports & bandwidth in the switches. With 2 redundant smaller switches that don’t take up more than 1 or 2 units to provide them with ample 25Gbps ports or 100Gbps port you can split up to your needs.


Another prime candidate for a spline is StarWind their storage solutions. They have great offerings for varied needs and don’t force every need into the one type fits all solution of HCI. But in the end, you can use them in any environment where you need lots of bandwidth, high throughput, and low latency.

When and where I don’t like Spine

I don’t like large Spines. They are the same old story with potentially huge chassis switches that bring back all the drawbacks but they have been flattened into a single tier. They are prohibitively expensive, so normally there’s only 2 with a huge amount of ports leading to cabling expenses and logistical issues depending on the data center you’re in. Upgrading one of those 2 huge chassis switches tend to bring down a large part of your network (potentially half) and carries a greater risk. So, we’re back to why leaf-spine became so popular and remains popular.

When I look at it from a reverse perspective it’s like someone took a 1 rack or one deployment stamp design and created a giant version of it. All this in an attempt to scale it up instead of out. In reality, it was probably giant switches looking for a new sales pitch. It might work for some, but I would not design a solution based on this. It might have a familiar look and feel to some people but I never liked them very much, design-wise, concept-wise, money wise … but that’s me. Where you can use them if you have the appetite for that is in client networking. Still not a big fan but hey that’s where I tolerate stacks when needed (limited uplinks) as it doesn’t impact 24/7 operations as much and the clients accept the downtime & risk.

Conclusion

A spline is a great design for a rack-sized deployment. In a pinch you can cross racks or even rows but the cabling of that all can become costly. Depending on what’s allowed and possible in your data-center it might not even be an option. Pro Tip: choose your location wisely and never ever tolerate the one size fits all approach of a hosting provider, corporate network team or co-loco. That basically always means they are optimizing for their needs and budgets, not yours.

When using bigger deployments or where growth is very likely, I go for small leaf-spine deployments instead of scaled-up splines.

A Spline can be converted into part of a leaf-spine, so it allows for change and evolution in your network, you normally won’t lose your investment.

What I do not like about spline is when it is used to leverage those huge chassis switches again. It brings all the drawbacks in cost, lack of scale-out, limited redundancy and higher risk back into the picture. Simply flattening a bad idea in a single tier doesn’t make it great.

Leaving Seattle after the MVP Summit

Leaving Seattle after the MVP Summit

I’m at the airport right now, waiting for my next flight, as I am leaving Seattle after the MVP Summit. It was a blast and I got to meet up with very talented, experienced and driven people once more. Thank you all for the very warm welcome and the care you took of us during our week here.

We discussed technology and business all day long at length and in depth. On to of that we provided feedback on the good, the bad and the ugly as we see it in real life. We got briefed and asked for our insights and input on a variety of trends in both business and technology. Since the content of the MVP Summit is strictly under NDA you will not find out anything about the content. Which begs the question, where is the value?

Where is the value?

For an MVP the value lies in the fact that the MVP Summit helps us become very well connected professionals with a global network of experts. We can leverage this network to learn and grow, get help and help others out. In this modern and connected technology-driven world no one exists and grows in isolation. It is fun to see ourselves progress as well as see new blood join us and grown at an amazing rate. It gives me faith that the future influx of talent is secured.

MVPs put in a lot of effort in lifelong learning and developing skills in both existing and emerging technologies. When you like to learn, this is a fun thing to do. As an employer, you get to tap into that pool of talented both directly and indirectly. When you have such talent, support it, give it room to grow. You’ll have allies for life even if they move on. Intrinsic motivation is the best there is, and you’d be downright silly not to leverage this. The cost is is perhaps 3 to 4 days of expert consulting and as such basically, a non-issue if you’re smart about it.

Tapping into that talent

That value MVPs provide is available to those that employ and hire us. To the management that hires smart people and listens to them. Those that let talent, professional drive and skills thrive. Organizations, where good ideas and result driven approaches are valued, will thrive and outperform those run by politics. Those are the places were talent is welcomed and can shine. Most MVPs work in such companies or actually run their own companies to make sure their talent can be put to use.

For now, I am continuing my journey of investing in myself and tlearning by collaborating with to some of the top players, small and large, in hardware and software in a very diverse hybrid world. I will be sharing what I learn along the way in life Belgium, Holland, Germany, Slovakia, … in persons. And, thanks to the connected global community, with anyone that joins our community efforts online.

Conclusion

If you have an employee that gets awarded Microsoft MVP, take note. These people are in your talent pool! That is very good news. Support them, retain them, value them and their efforts. These profiles are not readily available, hard to attract and harder to retain. Not because they are over demanding spoiled people, but because they love what they do, are smart and realize when their efforts are not appreciated, recognized or rewarded. Take care of your talent and they will take care of your business. It is not a one-way street.