Radius server configuration for 802.1X
Server radius test1
Address ipv4 10.1.1.1
Key 1234
!
Server radius test2
Address ipv4 10.1.1.2
Key 1234
!
aaa group server radius TEST-gr
server name test1
server name test2
!
aaa authentication dot1x default group TEST-gr
aaa authorization network default group TEST-gr
aaa accounting dot1x default start-stop group TEST-gr
Enable Change of Authorization (CoA)
aaa server radius dynamic-author
client 10.1.1.1 server-key shared_secret
Enable dot1x globally and per port
SW(config)#dot1x system-auth-control
SW(config-if)#authentication port-control auto
SW(config-if)#dot1x pae authenticator
SW(config-if)#mab
Set the radius timeout to 10 seconds with 3 attemps failure limit.
Radius-server dead-criteria time 10 tries 3
Include the RADIUS Service-Type in the authentication requests
Radius-server attribute 6 on-for-login-auth
Include the endpoint IP address in the framed-IP-address attribute in the authentication requests
Radius-server attribute 8 include-in-access-req
Include the class attribute in RADIUS authentication requests
Radius-server attribute 25 access-request include
802.1X Host Modes
Single-Host Mode
Only one client can be connected to an 802.1X-enabled port.
SW(config-if)# authentication host-mode single-host
Multiple-Host Mode
Multiple clients are connected to the 802.1X-enabled port, through a hub for example. Only one client must be authenticated and all clients have access to Network.
SW(config-if)# authentication host-mode multi-host
Multidomain Authentication Mode
This mode is also called Multidomain Authentication (MDA) mode, an IP Phone and a single host behind an 802.1X-enabled port, the IP Phone are authenticated independently. Multidomain refers to two domains:
Data domain
Voice domain
SW(config-if)# authentication host-mode multi-domain
Multiauthentication Mode
This mode allows one 802.1X client on a voice VLAN and multiple authenticated 802.1X clients on a data VLAN. In this mode, each client connected needs to be authenticated individually.
SW(config-if)# authentication host-mode multi-auth
If you want the interface to change to the guest VLAN state for a non-802.1X-capable client, regardless of the EAPOL packet history, use the following global configuration command:
SW(config-if)# authentication event no-response action authorize vlan 10
To configure a restricted VLAN, the new command on a Cisco IOS switch is as follows:
SW(config-if)# authentication event fail [retryretries] action authorize vlan 10
Useful show command for verification
Switch#sh authentication sessions interface gigabitEthernet 1/0/24
Quiet Period
When the switch cannot authenticate the client for some reason (for example, failed authentication), the switch remains idle for a set period of time and then tries again. The idle time is determined by the quiet-period value. The default is 60 seconds. This timer can be tweaked to provide a faster response. To configure this timer on a Cisco IOS switch, enter the following command:
SW(config-if)# dot1x timeout quiet-period seconds
Switch-to-Client Retransmission Time (tx-period)
The client responds to the EAP-request/identity frame from the switch with an EAP- response/identity frame. If the switch does not receive this response, it waits a set period of time, which is known as the retransmission time, and then retransmits the frame. You can tweak the amount of time that the switch waits for notification from 1 to 65535 sec- onds. The default is 30 seconds.
To configure this timer on a Cisco IOS switch, enter the following command:
SW(config)# dot1x timeout tx-period seconds
Switch-to-Client Retransmission Time for EAP-Request Frames (supp-timeout)
The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time and then retransmits the frame. This timer can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.
To configure this timer on a Cisco IOS switch, enter the following command:
SW(config-if)# dot1x timeout supp-timeout seconds
Switch-to-Authentication-Server Retransmission Time for Layer 4 Packets (server-timeout)
The authentication server notifies the switch each time it receives a transport layer packet (Layer 4). When the switch does not receive a notification after sending a packet, it waits a set period of time and then retransmits the packet. This can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.
To configure this timer on a Cisco IOS switch, enter the following command:
SW(config-if)# dot1x timeout server-timeout seconds
Switch-to-Client Frame Retransmission Number (max-reauth-req)
The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time, and then retransmits the frame. Apart from tweaking supp-timeout, we can tweak the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process from 1 to 10. The default is 2.
To configure this timer on a Cisco IOS switch, enter the following command:
SW(config-if)# dot1x max-reauth-req count
The best practice is to always prefer the stronger authentication method (dot1x). The dot1x method is also the default of all Cisco Switches.
SW(config-if)#authentication priority dot1x mab
There are certain deployment methods where MAC-Authentication Bypass (MAB) should occur before 802.1X authentication. For those corner cases, Cisco switches do allow for a network administrator to set a user-definable authentication order. However, the best practice is to maintain the order of dot1x and then MAB.
SW(config-if)#authentication order dot1x mab
DOT1X deployment mode
Monitor mode
Called also audit mode, the client has full access to the network, regardless if the authentication is successful or failed, often used for initial deployment to see if your policis in the Cisco ISE works as expected, Cisco ISE provides visibility through the radius live logs, which device is authenticated successfully or not. You can achieve this by using the authentication open command.
SW(config)#int g0/1
SW(config-if)#Authentication open
SW(config-if)#authentication port-control auto
SW(config-if)#dot1x pae authenticator
SW(config-if)#mab
Low-impact mode
This mode is similar to the monitor mode, except thata port-ACL is applied to limit access to clients, after a successful authentication, a dACL is applied to grant full access to the network, the dACL overrides the port-ACL.
SW(config)#int g0/1
SW(config-if)#Authentication open
SW(config-if)#authentication port-control auto
SW(config-if)#dot1x pae authenticator
SW(config-if)#mab
SW(config-if)#Ip access-group pre-acl in
Closed mode
This is the default mode of 802.1X, only EAP packets are allowed on the port before a successful authentication.
SW(config)#int g0/1
SW(config-if)#authentication port-control auto
SW(config-if)#dot1x pae authenticator
SW(config-if)#mab
Demystify and Simplify 