↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Device Roles
  • Authentication Process
  • Set up 802.1x
  • Global Config
  • Interface Config
  • Guest VLAN
  • Restricted VLAN
  • MAB – MAC Authentication Bypass
  • Violation Modes

Was this helpful?

  1. Security
  2. Switch Security

802.1x

Device Roles

  • Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software

  • Authentication Server – performs the actual authentication based on the client credentails.

  • Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.

Authentication Process

With 802.1x, when a host connects to the phyisical port, the port is still in an "Unauthorized" state and will not pass any data until it changes to an "Authorized" state.

  1. If the client has valid credentials, the switch grants the client access to the network

  2. If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network

  3. If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN

Set up 802.1x

Global Config

  1. Enable aaa authentication:

    Sw(config)# aaa new-model

  2. Create a radius authentication method for dot1x authentication

    Sw(config)# aaa authentication dot1x [default] group radius

  3. Enable dot1x authentication

    Sw(config)# dot1x system auth-control

  4. Optionally, enable support for per-user ACL or VLAN Assignment

    Sw(config)# aaa authorization network [default] group radius

  5. Set up the radius server:

    Sw(config)# radius-server host IP-ADDR
Sw(config)# radius-server key SECRET

Interface Config

Set the interface as static access

Sw(config-if)# switchport mode access

Enable dot1x authentication per port with either command:

Sw(config-if)# authentication port-control auto
! Or 
Sw(config-if)# dot1x port-control auto

By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:

Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host]
! or
Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]

  • multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated

  • multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN

  • multi-host: allows multiple clients on the port after one host has been authenticated

  • single-host: allows only 1 client on the port

Guest VLAN

In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.

Sw(config-if)# dot1x guest-vlan VLAN-ID

Restricted VLAN

In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN

Sw(config-if)# authentication event fail authorize VLAN-ID
! or
Sw(config-if)# dot1x auth-fail vlan VLAN-ID
Sw(config-if)# dot1x auth-fail max-attempts MAX
! Default: 3 attempts before the host is moved to the restricted VLAN

MAB – MAC Authentication Bypass

On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.

Sw(config-if)# mab [eap|timeout activity SEC]

Violation Modes

When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:

Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace}
! or
Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}

  • shutdown: puts the port in errdisabled mode.

  • shutdown vlan: shuts down only the offending VLAN

  • restrict: generates a syslog message

  • protect: drops packets from the offending host

  • replace: removes the current session and authenticates with the new host

PreviousDHCP Snooping and DAINextSwitch ACLs

Last updated 2 years ago

Was this helpful?