802.1x

Device Roles

  • Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software
  • Authentication Server – performs the actual authentication based on the client credentails.
  • Switch – aka “The authenticator” – acts as a proxy between the Client and the Authentication Server.

Authentication Process

  1. 1.
    If the client has valid credentials, the switch grants the client access to the network
  2. 2.
    If the Authentication Server times out the switch can use MAC Authentication Bypass feature to authenticate. If it succeeds, the switch grants the client access to the network
  3. 3.
    If the authentication fails, the switch can give the client reduced access to the network, by adding it to a special Guest VLAN

Set up 802.1x

Global Config

  1. 1.
    Enable aaa authentication:
    1
    Sw(config)# aaa new-model
    Copied!
  2. 2.
    Create a radius authentication method for dot1x authentication
    1
    Sw(config)# aaa authentication dot1x [default] group radius
    Copied!
  3. 3.
    Enable dot1x authentication
    1
    Sw(config)# dot1x system auth-control
    Copied!
  4. 4.
    Optionally, enable support for per-user ACL or VLAN Assignment
    1
    Sw(config)# aaa authorization network [default] group radius
    Copied!
  5. 5.
    Set up the radius server:
    1
    Sw(config)# radius-server host IP-ADDR
    2
    Sw(config)# radius-server key SECRET
    Copied!

Interface Config

Set the interface as static access
1
Sw(config-if)# switchport mode access
Copied!
Enable dot1x authentication per port with either command:
1
Sw(config-if)# authentication port-control auto
2
! Or
3
Sw(config-if)# dot1x port-control auto
Copied!
By default, the port works in single-host mode, where only one host can authenticate on a port. To change this, use:
1
Sw(config-if)# authentication host [multi-auth|multi-domain|multi-host|single-host]
2
! or
3
Sw(config-if)# dot1x host-mode [multi-domain|multi-host|single-host]
Copied!
  • multi-auth: allows 1 client on the voice VLAN and multiple clients on the data VLAN. Each host is individually authenticated
  • multi-domain: allows 1 client on the voice VLAN and 1 client on the data VLAN
  • multi-host: allows multiple clients on the port after one host has been authenticated
  • single-host: allows only 1 client on the port

Guest VLAN

In single-host or multiple-hosts mode, when the server does not receive a response to its EAP packets, it considers the hosts are not 802.1x capable and it allows them to join a Guest VLAN.
1
Sw(config-if)# dot1x guest-vlan VLAN-ID
Copied!

Restricted VLAN

In single-host mode, when a 802.1x compliant host fails authentication, it is assigned to a Restricted VLAN
1
Sw(config-if)# authentication event fail authorize VLAN-ID
2
! or
3
Sw(config-if)# dot1x auth-fail vlan VLAN-ID
4
Sw(config-if)# dot1x auth-fail max-attempts MAX
5
! Default: 3 attempts before the host is moved to the restricted VLAN
Copied!

MAB – MAC Authentication Bypass

On some ports you can enable MAB, which allows the use of the MAC address as authentication credentials.
1
Sw(config-if)# mab [eap|timeout activity SEC]
Copied!

Violation Modes

When a new device connects to a 802.1x enabled port and the maximum number of allowed devices have already been authenticated, the port acts according to the following command:
1
Sw(config-if)# authentication violation {shutdown [vlan]|restrict|protect|replace}
2
! or
3
Sw(config-if)# dot1x violation-mode {shutdown|restrict|protect}
Copied!
  • shutdown: puts the port in errdisabled mode.
  • shutdown vlan: shuts down only the offending VLAN
  • restrict: generates a syslog message
  • protect: drops packets from the offending host
  • replace: removes the current session and authenticates with the new host