802.1X Overview

Radius server configuration for 802.1X

Server radius test1

Address ipv4 10.1.1.1

Key 1234

!

Server radius test2

Address ipv4 10.1.1.2

Key 1234

!

aaa group server radius TEST-gr

 server name test1

 server name test2

!         

aaa authentication dot1x default group TEST-gr

aaa authorization network default group TEST-gr      

aaa accounting dot1x default start-stop group TEST-gr

Enable Change of Authorization (CoA)

aaa server radius dynamic-author

client 10.1.1.1 server-key shared_secret

Enable dot1x globally and per port

SW(config)#dot1x system-auth-control

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

Set the radius timeout to 10 seconds with 3 attemps failure limit.

Radius-server dead-criteria time 10 tries 3

Include the RADIUS Service-Type in the authentication requests

Radius-server attribute 6 on-for-login-auth

Include the endpoint IP address in the framed-IP-address attribute in the authentication requests

Radius-server attribute 8 include-in-access-req

Include the class attribute in RADIUS authentication requests

Radius-server attribute 25 access-request include

802.1X Host Modes

Single-Host Mode 


Only one client can be connected to an 802.1X-enabled port. 


SW(config-if)# authentication host-mode single-host


Multiple-Host Mode

Multiple clients are connected to the 802.1X-enabled port, through a hub for example. Only one client must be authenticated and all clients have access to Network.

SW(config-if)# authentication host-mode multi-host


Multidomain Authentication Mode

This mode is also called Multidomain Authentication (MDA) mode, an IP Phone and a single host behind an 802.1X-enabled port, the IP Phone are authenticated independently. Multidomain refers to two domains:

Data domain

Voice domain

SW(config-if)# authentication host-mode multi-domain

Multiauthentication Mode

This mode allows one 802.1X client on a voice VLAN and multiple authenticated 802.1X clients on a data VLAN. In this mode, each client connected needs to be authenticated individually.

SW(config-if)# authentication host-mode multi-auth

If you want the interface to change to the guest VLAN state for a non-802.1X-capable client, regardless of the EAPOL packet history, use the following global configuration command: 

SW(config-if)# authentication event no-response action authorize vlan 10

To configure a restricted VLAN, the new command on a Cisco IOS switch is as follows:

SW(config-if)# authentication event fail [retryretries] action authorize vlan 10

Useful show command for verification

Switch#sh authentication sessions interface gigabitEthernet 1/0/24 


Quiet Period 


When the switch cannot authenticate the client for some reason (for example, failed authentication), the switch remains idle for a set period of time and then tries again. The idle time is determined by the quiet-period value. The default is 60 seconds. This timer can be tweaked to provide a faster response. 
To configure this timer on a Cisco IOS switch, enter the following command: 


SW(config-if)# dot1x timeout quiet-period seconds



Switch-to-Client Retransmission Time (tx-period)

The client responds to the EAP-request/identity frame from the switch with an EAP- response/identity frame. If the switch does not receive this response, it waits a set period of time, which is known as the retransmission time, and then retransmits the frame. You can tweak the amount of time that the switch waits for notification from 1 to 65535 sec- onds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config)# dot1x timeout tx-period seconds

Switch-to-Client Retransmission Time for EAP-Request Frames (supp-timeout)

The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time and then retransmits the frame. This timer can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x timeout supp-timeout seconds

Switch-to-Authentication-Server Retransmission Time for Layer 4 Packets (server-timeout)

The authentication server notifies the switch each time it receives a transport layer packet (Layer 4). When the switch does not receive a notification after sending a packet, it waits a set period of time and then retransmits the packet. This can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x timeout server-timeout seconds

Switch-to-Client Frame Retransmission Number (max-reauth-req)

The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time, and then retransmits the frame. Apart from tweaking supp-timeout, we can tweak the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process from 1 to 10. The default is 2.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x max-reauth-req count

The best practice is to always prefer the stronger authentication method (dot1x). The dot1x method is also the default of all Cisco Switches.

SW(config-if)#authentication priority dot1x mab

There are certain deployment methods where MAC-Authentication Bypass (MAB) should occur before 802.1X authentication. For those corner cases, Cisco switches do allow for a network administrator to set a user-definable authentication order. However, the best practice is to maintain the order of dot1x and then MAB.

SW(config-if)#authentication order dot1x mab

DOT1X deployment mode

Monitor mode

Called also audit mode, the client has full access to the network, regardless if the authentication is successful or failed, often used for initial deployment to see if your policis in the Cisco ISE works as expected, Cisco ISE provides visibility through the radius live logs, which device is authenticated successfully or not. You can achieve this by using the authentication open command.

SW(config)#int g0/1

SW(config-if)#Authentication open

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

Low-impact mode

This mode is similar to the monitor mode, except thata port-ACL is applied to limit access to clients, after a successful authentication, a dACL is applied to grant full access to the network, the dACL overrides the port-ACL.

SW(config)#int g0/1

SW(config-if)#Authentication open

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

SW(config-if)#Ip access-group pre-acl in

Closed mode

This is the default mode of 802.1X, only EAP packets are allowed on the port before a successful authentication.

SW(config)#int g0/1

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s