CUC (6) CUCM (26) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (2)

Thursday, 3 November 2011

Wired 802.1x port authentication

I promised in my last post that I was gonna write something up on CUPC, well guess what; I am not. I came across a IEEE 802.1x (dot1x from now on) port authentication implementation for a customer of ours, and since you hardly come across any dot1x implementations, I thought it would be worth posting. Also as a recap for myself, because before last week I had only come across it on paper, in my CCNP exams.

This particular implementation is configured on a 3750 running 12.2.55(SE3)
(no not a 3750X!).

Step 1: Enable dot1x globally, by using the "dot1x system-auth-control" command,

to verify is dot1x is globally enabled:

#show dot1x
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Step 2: Configure the access ports:

interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 21
authentication event fail action authorize vlan 32
authentication event no-response action authorize vlan 32
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

This configuration will attempt authentication (using EAPOL between switch and client,
and RADIUS between switch and RADIUS server) first, If authentication is successfull, the port is autrhorized and will begin forwarding traffic.
If authentication fails, or if no response is received

issue the following command to verify the authorization status of a port:

#show dot1x int gi1/0/1 details

Dot1x Info for GigabitEthernet1/0/1
PortControl = AUTO
ControlDirection = Both
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Dot1x Authenticator Client List Empty


Port Gi1/0/1 in the example above is set to Unauthorized (actually, it was unplugged when I issued the command)

Of course the "guest vlan" is an option in this particular case vlan 32 was setup as a DMZ vlan with its default gateway IP address on a Firewall.

You can configure an 802.1X port for single-host or for multiple-hosts mode. In single-host mode, only one host is allowed on an 802.1X port.
When the host is authenticated, the port is placed in the authorized state. When the host leaves the port, the port becomes unauthorized.
Packets from hosts other than the authenticated one are dropped. Because the access port can contain phones, I have opted for the multi-host host mode.

The "dot1x pae authenticator" interface configuration command on the switch stack or on a standalone is used to configure the port as an IEEE 802.1x port access entity (PAE) authenticator.

Step 3: Configure radius server.

For dot1x RADIUS is used. and the switch basically functions as a RADIUS proxy for the client that is trying to authenticate.

I will not discuss the configuration of the actual RADIUS server itself in this post.

The RADIUS server configuration that I did use is:

radius-server host auth-port 1645 acct-port 1646 key 0

Step 4: configure aaa to use dot1x

This basically defines which RADIUS servers ( in this example is/are used for dot1x. The command for this is:

aaa authentication dot1x default group radius

For a full dot1x configuration guide:

No comments:

Post a Comment