802.1x - nyquist.eu

Contents

1. Device Roles
2. Authentication Process
3. Set up 802.1x

1. Device Roles

Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software
Authentication Server – performs the actual authentication based on the client credentails.
Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.

2. Authentication Process

If the client has valid credentials, the switch grants the client access to the network
If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network
If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN

3. Set up 802.1x

3.1 Global Config

Enable aaa authentication:
```
Sw(config)# aaa new-model
```
Create a radius authentication method for dot1x authentication
```
Sw(config)# aaa authentication dot1x [default] group radius
```
Enable dot1x authentication
```
Sw(config)# dot1x system auth-control
```
Optionally, enable support for per-user ACL or VLAN Assignment
```
Sw(config)# aaa authorization network [default] group radius
```

Set up the radius server:

Sw(config)# radius-server host IP-ADDR
Sw(config)# radius-server key SECRET

3.2 Interface Config

Set the interface as static access

Sw(config-if)# switchport mode access

Enable dot1x authentication per port with either command:

Sw(config-if)# authentication port-control auto
! Or 
Sw(config-if)# dot1x port-control auto

By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:

Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host]
! or
Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]

multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated
multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN
multi-host: allows multiple clients on the port after one host has been authenticated
single-host: allows only 1 client on the port

3.3 Guest VLAN

In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.

Sw(config-if)# dot1x guest-vlan VLAN-ID

3.4 Restricted VLAN

In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN

Sw(config-if)# authentication event fail authorize VLAN-ID
! or
Sw(config-if)# dot1x auth-fail vlan VLAN-ID
Sw(config-if)# dot1x auth-fail max-attempts MAX
! Default: 3 attempts before the host is moved to the restricted VLAN

3.5 MAB – MAC Authentication Bypass

On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.

Sw(config-if)# mab [eap|timeout activity SEC]

3.6 Violation Modes

When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:

Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace}
! or
Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}

shutdown: puts the port in errdisabled mode.
shutdown vlan: shuts down only the offending VLAN
restrict: generates a syslog message
protect: drops packets from the offending host
replace: removes the current session and authenticates with the new host