802.1x
Device Roles
Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software
Authentication Server – performs the actual authentication based on the client credentails.
Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.
Authentication Process
With 802.1x, when a host connects to the phyisical port, the port is still in an "Unauthorized" state and will not pass any data until it changes to an "Authorized" state.
If the client has valid credentials, the switch grants the client access to the network
If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network
If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN
Set up 802.1x
Global Config
Enable aaa authentication:
Create a radius authentication method for dot1x authentication
Enable dot1x authentication
Optionally, enable support for per-user ACL or VLAN Assignment
Set up the radius server:
Interface Config
Set the interface as static access
Enable dot1x authentication per port with either command:
By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:
multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated
multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN
multi-host: allows multiple clients on the port after one host has been authenticated
single-host: allows only 1 client on the port
Guest VLAN
In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.
Restricted VLAN
In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN
MAB – MAC Authentication Bypass
On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.
Violation Modes
When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:
shutdown: puts the port in errdisabled mode.
shutdown vlan: shuts down only the offending VLAN
restrict: generates a syslog message
protect: drops packets from the offending host
replace: removes the current session and authenticates with the new host
Last updated