Device Roles

  • Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software

  • Authentication Server – performs the actual authentication based on the client credentails.

  • Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.

Authentication Process

With 802.1x, when a host connects to the phyisical port, the port is still in an "Unauthorized" state and will not pass any data until it changes to an "Authorized" state.

  1. If the client has valid credentials, the switch grants the client access to the network

  2. If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network

  3. If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN

Set up 802.1x

Global Config

  1. Enable aaa authentication:

    Sw(config)# aaa new-model
  2. Create a radius authentication method for dot1x authentication

    Sw(config)# aaa authentication dot1x [default] group radius
  3. Enable dot1x authentication

    Sw(config)# dot1x system auth-control
  4. Optionally, enable support for per-user ACL or VLAN Assignment

    Sw(config)# aaa authorization network [default] group radius
  5. Set up the radius server:

    Sw(config)# radius-server host IP-ADDR
    Sw(config)# radius-server key SECRET

Interface Config

Set the interface as static access

Sw(config-if)# switchport mode access

Enable dot1x authentication per port with either command:

Sw(config-if)# authentication port-control auto
! Or 
Sw(config-if)# dot1x port-control auto

By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:

Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host]
! or
Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]
  • multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated

  • multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN

  • multi-host: allows multiple clients on the port after one host has been authenticated

  • single-host: allows only 1 client on the port

Guest VLAN

In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.

Sw(config-if)# dot1x guest-vlan VLAN-ID

Restricted VLAN

In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN

Sw(config-if)# authentication event fail authorize VLAN-ID
! or
Sw(config-if)# dot1x auth-fail vlan VLAN-ID
Sw(config-if)# dot1x auth-fail max-attempts MAX
! Default: 3 attempts before the host is moved to the restricted VLAN

MAB – MAC Authentication Bypass

On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.

Sw(config-if)# mab [eap|timeout activity SEC]

Violation Modes

When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:

Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace}
! or
Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}
  • shutdown: puts the port in errdisabled mode.

  • shutdown vlan: shuts down only the offending VLAN

  • restrict: generates a syslog message

  • protect: drops packets from the offending host

  • replace: removes the current session and authenticates with the new host

Last updated