IEEE 802.1X Port-Based Authentication
4.2.d i Device roles, port states
// Graphic missing - Coming soon //
General information on “802.1X Devices roles”:
- Each device within 802.1x has a specific role
- There are three possible device roles:
- Supplicant: The device that requests access to the LAN (eg. workstation, server, …). Must be 802.1x-compliant. Uses EAPoL to communicate with the authenticator.
- Authenticator: Network device where the supplicant is attached to. Acts as a proxy, requests identity from the supplicant, verifies it with the authentication server and relays a response back to the supplicant. When the authentication was successful, the authenticator allows the supplicant access to the network. If the authentication failed, the authenticator blocks the supplicant access to the network. Also acts as a EAPoL/RADIUS translator.
- Authentication server: Performs the actual authentication of the supplicant. Validates the identity and notifies the authenticator of the result. This can be a RADIUS server like Cisco ISE, Windows Server AD, … and so on. Uses RADIUS to communicate with the authenticator.
General information on “802.1X port states”:
- The port state defines the supplicants current status and how/what he can access within the network
- There are two possible port states:
- Unauthorized: Initial state. Ingress traffic is blocked except for 802.1x authentication, CDP and STP packets.
- Authorized: Supplicant is successfully authenticated. All ingress traffic is allowed and flows normally.
- If a supplicant doesn’t support 802.1x, the identity requests from the authenticator fails and the port will stay in unauthorized state
- If a supplicant is 802.1x-enabled but the connected port is not, the supplicant sends EAPOL start frames for a fixed number of times and will then begin sending frames as if the port is in authorized state
- If a supplicant is misconfigured and the initial authentication failed, the authentication process can be re-initiated
- If a supplicant logs off, it will send an EAPOL-logoff message causing the connected port to switch back to unauthorized state
- If the link state of a port changes from up to down, it will also switch back to unauthorized state
- If there’s no reply from the authenticator server within i given amount of time, the port will stay in unauthorized state
- Important: If a port is configured as a Voice VLAN port, VoIP traffic and 802.1x packets are allowed before the supplicant is authenticated!
4.2.d ii Authentication process
// Graphic missing - Coming soon //
“802.1X Authentication process” CLI configuration commands:
## Reauthenticating a supplicant manually Switch# dot1x re-authenticate interface <if>
4.2.d iii Host modes
General information on “802.1X Host modes”:
- A port can be configured for three host modes:
- Single-host mode: Only one host can be attached and authenticated on a port.
- Multi-host mode: Multiple hosts can be attached to a port but only one host must authenticate for all other hosts to have access to the network.
- Multi-auth mode: Multiple hosts can be attached to a port and all hosts must authenticate themselves to have access to the network.
4.2.d iiii Authenticator configuration
General information on “802.1X Authenticator configuration”:
- The following shows a sample configuration of a 802.1x authenticator
- The dot1x port-control command has three possible arguments:
- auto: The port is in an unauthorized state until the connected device initiates and successfully authorizes itself with the AAA server.
- force-unauthorized: The port is always unauthorized. Connected devices cannot initiate an authorization process.
- force-authorized: The port is always authorized and ready to use. No authorization is required. This is the default mode.
“802.1X Authenticator configuration” CLI configuration commands:
## Enabling AAA services globally Switch(config)# aaa new-model ## Enabling AAA dot1x authentication globally Switch(config)# dot1x system-auth-control ## Configuring a RADIUS server Switch(config)# radius server <name> Switch(config-radius-server)# address [ipv4 | ipv6] <ip> auth-port <port> acct-port <port> Switch(config-radius-server)# key <key> ## Configuring AAA dot1x authentication to use RADIUS Switch(config)# aaa authentication dot1x [default | <list>] group radius ## Enabling AAA dot1x authentication on an interface Switch(config)# interface <if> Switch(config-if)# dot1x pae authenticator Switch(config-if)# authentication port-control auto