dot1x_top

That Topology explains it all, no further explanation is needed, thanks for stopping by!

Well, there are a few more details to know, which I’ll run through here with a quick configuration to top it off, not too much switch based with this post for once 🙂

Dot1x Fundamentals and details

Dot1x can be run along side Port-Security, to also provide Port-Based Authentication, to very oddly a RADIUS Server – You cannot use Cisco TACACS or TACACS+ to run Dot1x.

Dot1X uses EAPOL (Extensible Authentication Protocol over LAN) uses a RADIUS Server also running EAP extensions to authenticate the device plugging into the port, whereas Port-Security just checks the Source Frame and away we go. The Host actually needs to be configured for Dot1x as well, or it will not Authenticate, which is a first I believe in Cisco studies thus far.

There are a few names to the Topology above that should be noted here:

  • Host = Supplicant
  • Switch = Authenticator
  • RADIUS Server = Authentication Server

If you’ve never worked with RADIUS, it is an NPS (Network Policy Server) Server Role, that gets configured for VPN authentication for users, or in this case for Dot1x authentication. It is simply an Authentication role on a Windows Server.

Supplicants plugging into a Dot1x configured switchport are using a single physical cable, but are logically divided into “controlled” and “uncontrolled” ports by Dot1x at the switchport, which is handled by Dot1x and doesn’t need manual configuration – Though we do have to handle the configuration of the Supplicant (Host) itself for Dot1x.

The “controlled” port is not allowed to send Data Traffic until the Supplicant has been authenticated by the RADIUS Authentication Server, the “uncontrolled” port is allowed to send EAPOL / STP / CDP traffic to the RADIUS Server to Authenticate the Host.

So “Controlled” ports are used for normal Data Traffic, “Uncontrolled” for Authentication.

One oddity for Dot1x authentication between the Host and the Switch, is that for Data Traffic to be permitted by the switch, only the Host must be configured with Dot1x. If there is no Dot1x configuration on the switch requiring Authentication, the Host goes right on ahead with Data Transmission, as illustrated for total clarity in these cool pics:

dot1x_top2

So if a PC / Phone (Supplicant) is not stopped at the door for Authentication, it is going to work like nothing is wrong, as if Dot1x were not configured.

Now for some RADIUS Authentication Server / Dot1x Configuration on the switch!

This is kind of a gotcha in real life when configuring Auth Servers on Cisco Devices CLI, as seen here, you don’t get many options until you “unlock” them in the CLI:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)

SW1(config)#aaa new-model ?
<cr>

SW1(config)#aaa new-model
SW1(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
common-criteria AAA Common Criteria
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
memory AAA memory parameters
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
password Configure password/secret related settings
pod POD processing
policy AAA policy parameters
server Local AAA server
service-profile Service-Profile parameters
session-id AAA Session ID
traceback Traceback recording
user AAA user definitions

SW1(config)#aaa

We will be coming back to the “aaa authentication …” config shortly.

However I wanted to demonstrate that issuing “aaa new-model” is telling the device you intend to setup authentication, it then gives the commands needed to do so.

Now there are two different ways to configure RADIUS Server, first of which gives a funny message telling you that you’re getting outdated:

SW1(config)#radius-server host 10.0.0.250 key CCIE
Warning: The CLI will be deprecated soon
‘radius-server host 10.0.0.250 key CCIE ‘
Please move to ‘radius server <name>’ CLI.

That is the first time I have ever seen a CLI output tell me I need to get with the times, so I will IOS help my way through using the syntax of ‘radius server …’ :

SW1(config)#radius server ?
WORD Name for the radius server configuration

SW1(config)#radius server RADIUS ?
<cr>

SW1(config)#radius server RADIUS
SW1(config-radius-server)#?
RADIUS server sub-mode commands:
address Specify the radius server address
automate-tester Configure server automated testing.
backoff Retry backoff pattern(Default is retransmits with constant
delay)
exit Exit from RADIUS server configuration mode
key Per-server encryption key
no Negate a command or set its defaults
non-standard Attributes to be parsed that violate RADIUS standard
pac Protected Access Credential key
retransmit Number of retries to active server (overrides default)
timeout Time to wait (in seconds) for this radius server to reply
(overrides default)

SW1(config-radius-server)#key CCIE
SW1(config-radius-server)#address ?
ipv4 IPv4 Address
ipv6 IPv6 Address

SW1(config-radius-server)#address ipv4 ?
Hostname or A.B.C.D IPv4 Address of radius server

SW1(config-radius-server)#address ipv4 10.0.0.250 ?
acct-port UDP port for RADIUS accounting server (default is 1646)
alias 1-8 aliases for this server (max. 8)
auth-port UDP port for RADIUS authentication server (default is 1645)
<cr>

SW1(config-radius-server)#address ipv4 10.0.0.250
%Server already exists with same address port combination.
SW1(config-radius-server)#

And so on. That is the equivalent of what was configured initially (as seen by that last piece of output, also different Cisco devices will be configured with different syntax, so keep in mind it may show up in different formats on exam day and on the job.

Next up is configuration is an “aaa authentication”:

SW1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
onep Set authentication lists for ONEP
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
suppress Do not send access request for a specific type of user.
username-prompt Text to use when prompting for a username

SW1(config)#aaa authentication dot1x ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.

SW1(config)#aaa authentication dot1x default ?
cache Use Cached-group
group Use Server-group
local Use local username authentication.

SW1(config)#aaa authentication dot1x default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.

SW1(config)#aaa authentication dot1x default group radius ?
cache Use Cached-group
group Use Server-group
local Use local username authentication.
<cr>

SW1(config)#aaa authentication dot1x default group radius

So the final long winded command for a simple setup is at the very end highlighted in red, however notice there is options to keep configuring groups / users after defining the RADIUS Server Group option, something that may come up later in AAA studies.

The last global config command to enable Dot1x:

SW1(config)#dot1x ?
auth-fail Set 802.1x Fail Authentication parameter
credentials Configure 802.1X credentials profiles
critical Set 802.1x Critical Authentication parameters
guest-vlan Configure Guest Vlan and 802.1x Supplicant behavior
logging Set logging parameters
supplicant 802.1X supplicant configuration
system-auth-control Enable or Disable SysAuthControl
test Configure dot1x test related parameters

SW1(config)#dot1x system-auth-control ?
<cr>

SW1(config)#dot1x system-auth-control
SW1(config)#

I would guess at this point we could go back to the friendly pictures of Green Auth arrows and Blue Data arrows, but its not over yet 🙂

Now to finalize the Dot1x configuration at the interface level:

SW1(config-if)#dot1x ?
authenticator Configure authenticator parameters
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts

Hmmm, I seem to be missing my option here “port-control”, and I’m not sure if it is outdated or my hardware isn’t quite up to speed, but it has 3 options to know about:

  • port-control “force-authorized” = Unconditionally authorize the host on this port, requiring no authentication (This is the default for some reason)
  • port-control “force-unauthorized” = Unconditionally NEVER authorizes the host
  • port-control “auto” – Allows host to Authorize via exchange of dot1x messages

It seems like the command “port-control” may have been outdated, and the new command is as follows here:

SW1(config-if)#dot1x default ?
<cr>

Those other port-control commands just seemed weird to begin with, so it wouldn’t surprise me to have phased them out in the 15.x IOS images for MLS Switches.

And that is all I have to say about Dot1x!

It seems like a lot, but just remember to configure the following:

  • “aaa new-model”
  • “(radius server IP and Key)”
  • “dot1q system-auth-control”
  • Interface level commands

I don’t expect this to be a huge part of SWITCH outside of knowing the concepts and some light configs as shown here, so without further ado, onto SPAN in the next post!