802.1x Overview & GNS3 Examples

If you wish, go directly to the GNS3 examples. See the following links:

Introduction

IEEE 802.1x is a standard set by the IEEE 802.1 working group. It is a data link layer (Layer 2) protocol designed to provide port-based network access control using authentication unique to a device or user. This service is called port-level authentication.

In an unsecured environment, it is much easier for hackers and unauthorized entities to launch denial of service (DoS), hijack, or other types of attacks.

802.1x Components

The IEEE 802.1x framework defines three roles in the authentication process:

■ Supplicant (client, or host): The endpoint requesting access to the network. For example, this could be an end-user device, a printer, or an IP phone. Must be running 802.1x-compliant system software.

■ Authentication server: The entity that validates the identity of the supplicant and notifies the authenticator to allow or deny the client request for access. For example, a RADIUS server, such as ACS, can provide authentication server services. The RADIUS security system with EAP extensions is the only supported authentication server.

■ Authenticator (switch, AP, …): The device between the supplicant and the authentication server that facilitates authentication. The client is normally directly connected to the authenticator. For example, a switch or a wireless access point would provide authenticator services to clients attempting to access LAN.

EAPOL is used to exchange the authentication credentials, so that is allowed to pass traffic before authentication has been completed. Spanning tree BPDUs and CDP frames are also allowed to to pass traffic before authentication has been completed, preventing bridging loops and helping identify end devices. After the authentication is successful, normal traffic can pass through the port.

In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.

Port States

When using 802.1x, there are three defined port states:

■ Auto: Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames, CDP, and STP traffic to be sent and received through the port. After the supplicant is authenticated, the port transitions to the authorized state and normal traffic is allowed.

■ Forced-Authorized: Disables 802.1x port-based authentication.In this state, 802.1x is disabled on the port. All traffic is allowed as normal without restriction. This is the default port state when 802.1x is globally enabled.

■ Forced-Unauthorized: In this state, the port ignores all traffic, including any attempts to authenticate. The port is forced to never authorize any connected client.

Implementing and Configuring Basic 802.1X

Configuring 802.1X port authentication is supported on Layer 2 static access ports (using switchport mode access), voice VLAN–enabled ports, and Layer 3 routed ports. It is not supported on dynamic ports, trunk ports, or Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN) ports.

Configuring Cisco Catalyst IOS Software 802.1X Authenticator

NOTE You can implement many 802.1x commands using a 3725 switch with an NM-16ESW module on GNS3.

There are several tasks involved in configuring the Cisco Catalyst IOS Software 802.1X authenticator:

Task 1. Configure a RADIUS server on the network switch and the AAA server.

Task 2. Configure the switch to use AAA and the RADIUS protocol for authentication.

Task 3. Enable 802.1X globally on the switch.

Task 4. Enable 802.1X on access ports that require user authentication on the switch.

Task 5. (Optional) Configure periodic reauthentication.

Task 6. (Optional) Tune timers and thresholds.

Task 7. (Optional) Configure a guest policy on the switch if one is needed.

Task 1: Configure RADIUS Server

Define an external RADIUS Server:

Switch(config)# radius-server host {hostname | ip-address} [auth-port auth-port-number acct-port acct-port-number [key string]

This command can be repeated to define additional RADIUS servers.

Enter the radius-server host command to specify the IP address of the RADIUS server with which the switch will communicate to authenticate 802.1X clients. This command also specifies the cryptographic authentication key that is used to protect the session.

Note: Configure two RADIUS servers to provide a redundant set of AAA servers. Also, use a strong value for the authentication key and consider using different authentication keys for each 802.1X switch, in case one of them gets compromised.

Optionally, you can change the authentication and accounting ports from the defaults, UDP 1645 and 1646, which are used by Cisco Secure ACS to the standard RADIUS ports, UDP 1812 and 1813.

Example. Configuration of a RADIUS server at 10.1.1.1, using the standard RADIUS ports, UDP 1812 and 1813, and specifying an authentication key of “rad123.”

Router(config)# radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key rad123

Task 2: Enable AAA and Use RADIUS for Authentication

Enable AAA and configure an AAA authentication method using RADIUS for interfaces that will be running 802.1X port security:

Step 1. Enable AAA globally:

Switch(config)# aaa new-model

Warning: This command immediately applies local authentication to all lines and interfaces, except console line (line con 0). If a telnet session is opened to the router after enabling this command (or if a connection times out and has to reconnect), then the user has to be authenticated using the the local database of the router. To avoid being locked out of the router, we recommend that you define a username and password before starting the AAA configuration.

Step 2. Configure an AAA authentication method that specifies that 802.1X authentication requests should be sent to the configured RADIUS servers.

Create an 802.1X port-based authentication method list:

Switch(config)# aaa authentication dot1x {default} method1 [method2...]

Enter at least one of these keywords:

•group radius—Use the list of all RADIUS servers for authentication.

•none—Use no authentication. The client is automatically authenticated without the switch using the information supplied by the client.

enable Use enable password for authentication.

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

Task 3: Enable 802.1X globally on the switch

Globally enable 802.1X port-based authentication:

Switch(config)# dot1x system-auth-control

Task 4. Enable 802.1X on access ports that require user authentication on the switch

NOTE On the ports that will require 802.1X authentication, ensure that the interface is configured as a Layer 2 access port with the switchport mode access interface command. Make sure that the user interfaces are assigned to a proper access VLAN:

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan vlan-id

Enable 802.1X port-based authentication on the interfaces you want:

Switch(config-if)# dot1x port-control {auto | force-authorized | force-unauthorized}

In later releases:

Switch(config-if)# authentication port-control {auto | force-authorized | force-unauthorized}

force-authorized—Disables 802.1x port-based authentication. The port is forced to always authorize any connected client. No authentication is necessary. This is the default state for all switch ports when 802.1x is enabled.
force-unauthorized—The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client.
auto— Enables 802.1x port-based authentication The port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This requires an 802.1x-capable application on the client PC.

Tip: After 802.1x is globally enabled on a switch, all switch ports default to the force-authorized state. This means that any PC connected to a switch port can immediately start accessing the network. Ideally, you should explicitly configure each port to use the auto state so that connected PCs are forced to authenticate through the 802.1x exchange.

Task 5: (Optional) Configure Periodic Reauthentication

You can configure this on an interface or range of interfaces. By default, 802.1X reauthentication is not enabled. This can cause problems in an environment in which not all switches perform authentication. For example, if your distribution switches perform 802.1X authentication, the switch will not detect that the client has disconnected and leave the port in an authenticated state. Periodic reauthentication can alleviate this by forcing the client to periodically reauthenticate to the AAA server.

Step 1. Enable periodic reauthentication on a user interface or range of interfaces:

Router(config-if)# authentication periodic

The default is that periodic reauthentication is disabled.

In earlier releases:

Router(config-if)# dot1x reauthentication

Step 2. You can adjust the timer on the periodic reauthentication attempts.

To specify the number of seconds between reauthentication attempts use:

Router(config-if)# authentication timer reauthenticate [seconds | server]

It’s used to fix the time after which an automatic re-authentication should be initiated.

•seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds. The default time between attempts is 3600 seconds. Reducing the time causes your user ports to be reauthenticated more often. This would be considered good from a security standpoint but will add extra load on your RADIUS servers. Proceed with caution, because a high load could cause legitimate clients to be denied access to your network if your AAA servers are too busy to process 802.1X authentication requests.

•server—Obtain re-authentication timeout value from the server

NOTE In earlier releases:

Router(config-if)# dot1x timeout reauth-period [seconds| server]

Task 6: (Optional) Tune Timers and Thresholds

You can adjust EAPOL timers to optimize the 802.1X authentication exchange between the supplicant and the authenticator.

Note: In 802.1X Authentication Message Exchange, EAPOL is used between the supplicant and the authenticator, while RADIUS is used between the authenticator and the authentication server.

The authenticator expects to receive the EAP-Response/Identity frame as a response to its EAP-Request/Identity frame. If it has not received this frame within the default retransmission time, it will resend the Request frame. The default retransmission timer is 30 seconds.

You can adjust this time to increase response times, which will allow a faster 802.1X authentication process.

To change the retransmission timer (timeout for supplicant retries):

Router(config-if)# dot1x timeout tx-period seconds

Set the number of seconds that the switch/router waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The range is 1 to 65535 seconds; the default is 30.

If the switch fails to authenticate a client, such as the user entering a bad password, the switch waits a period of time before trying again. The default value for this quiet timer is 60 seconds. You can lower this value, thus giving the client a faster response time.

To change the quiet timer:

R1(config-if)# dot1x timeout quiet-period seconds

Task 7: (Optional) Configure Guest and Authentication Failed Policy

A special-purpose VLAN is designated for clients that either fail authentication or that do not have an 802.1X supplicant. This means that the client does not respond to EAPOL requests and must be placed into a “guest” VLAN. The VLAN used for each of these can be the same or different depending upon your architecture; however, it must exist on the switch before assigning users to it.

In the case of authentication failure, you must specify the number of times that the switch should retry authentication before assigning the user to the restricted VLAN. The command for this is:

Router(config-if)# authentication event fail retry number action authorize vlan vlan-id

To assign a user to the guest VLAN is:

Router(config-if)# authentication event no-response action authorize vlan vlan-id

Note: The 802.1X authentication attempt must fail before the switch will assign the user to the guest VLAN. This time can be configured to be shorter on the interfaces upon which you expect to have guest connections by using the dot1x timeout quiet-period and dot1x timeout tx-period commands.

Verifying 802.1X

To verify the operational status of the 802.1X configuration on your device:

Router# show dot1x all

To see the authorization state of each of the interfaces on which you have 802.1X authentication configured:

Router# show dot1x all summary

Debug commands:

Router# debug dot1x ?

all All Dot1x debugging messages turned on

errors Errors

events Events

feature Features

packets Packets

redundancy Redundancy

registry Registries

state-machine State machine

GNS3 Examples

Home Page

NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.

Thank you for your co-operation in helping me to improve.