802.1x
- Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software
- Authentication Server – performs the actual authentication based on the client credentails.
- Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.
With 802.1x, when a host connects to the phyisical port, the port is still in an "Unauthorized" state and will not pass any data until it changes to an "Authorized" state.
- 1.If the client has valid credentials, the switch grants the client access to the network
- 2.If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network
- 3.If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN
- 1.Enable aaa authentication:Sw(config)# aaa new-model
- 2.Create a radius authentication method for dot1x authenticationSw(config)# aaa authentication dot1x [default] group radius
- 3.Enable dot1x authenticationSw(config)# dot1x system auth-control
- 4.Optionally, enable support for per-user ACL or VLAN AssignmentSw(config)# aaa authorization network [default] group radius
- 5.Set up the radius server:Sw(config)# radius-server host IP-ADDRSw(config)# radius-server key SECRET
Set the interface as static access
Sw(config-if)# switchport mode access
Enable dot1x authentication per port with either command:
Sw(config-if)# authentication port-control auto
! Or
Sw(config-if)# dot1x port-control auto
By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:
Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host]
! or
Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]
- multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated
- multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN
- multi-host: allows multiple clients on the port after one host has been authenticated
- single-host: allows only 1 client on the port
In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.
Sw(config-if)# dot1x guest-vlan VLAN-ID
In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN
Sw(config-if)# authentication event fail authorize VLAN-ID
! or
Sw(config-if)# dot1x auth-fail vlan VLAN-ID
Sw(config-if)# dot1x auth-fail max-attempts MAX
! Default: 3 attempts before the host is moved to the restricted VLAN
On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.
Sw(config-if)# mab [eap|timeout activity SEC]
When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:
Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace}
! or
Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}
- shutdown: puts the port in errdisabled mode.
- shutdown vlan: shuts down only the offending VLAN
- restrict: generates a syslog message
- protect: drops packets from the offending host
- replace: removes the current session and authenticates with the new host
Last modified 6mo ago