802.1x
Contents
1. Device Roles
- Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software
- Authentication Server – performs the actual authentication based on the client credentails.
- Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.
2. Authentication Process
- If the client has valid credentials, the switch grants the client access to the network
- If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network
- If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN
3. Set up 802.1x
3.1 Global Config
- Enable aaa authentication:
Sw(config)# aaa new-model
- Create a radius authentication method for dot1x authentication
Sw(config)# aaa authentication dot1x [default] group radius
- Enable dot1x authentication
Sw(config)# dot1x system auth-control
- Optionally, enable support for per-user ACL or VLAN Assignment
Sw(config)# aaa authorization network [default] group radius
- Set up the radius server:
Sw(config)# radius-server host IP-ADDR Sw(config)# radius-server key SECRET
3.2 Interface Config
Set the interface as static access
Sw(config-if)# switchport mode access
Enable dot1x authentication per port with either command:
Sw(config-if)# authentication port-control auto ! Or Sw(config-if)# dot1x port-control auto
By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:
Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host] ! or Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]
- multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated
- multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN
- multi-host: allows multiple clients on the port after one host has been authenticated
- single-host: allows only 1 client on the port
3.3 Guest VLAN
In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.
Sw(config-if)# dot1x guest-vlan VLAN-ID
3.4 Restricted VLAN
In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN
Sw(config-if)# authentication event fail authorize VLAN-ID ! or Sw(config-if)# dot1x auth-fail vlan VLAN-ID Sw(config-if)# dot1x auth-fail max-attempts MAX ! Default: 3 attempts before the host is moved to the restricted VLAN
3.5 MAB – MAC Authentication Bypass
On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.
Sw(config-if)# mab [eap|timeout activity SEC]
3.6 Violation Modes
When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:
Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace} ! or Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}
- shutdown: puts the port in errdisabled mode.
- shutdown vlan: shuts down only the offending VLAN
- restrict: generates a syslog message
- protect: drops packets from the offending host
- replace: removes the current session and authenticates with the new host
Leave a Reply