That Topology explains it all, no further explanation is needed, thanks for stopping by!
Well, there are a few more details to know, which I’ll run through here with a quick configuration to top it off, not too much switch based with this post for once 🙂
Dot1x Fundamentals and details
Dot1x can be run along side Port-Security, to also provide Port-Based Authentication, to very oddly a RADIUS Server – You cannot use Cisco TACACS or TACACS+ to run Dot1x.
Dot1X uses EAPOL (Extensible Authentication Protocol over LAN) uses a RADIUS Server also running EAP extensions to authenticate the device plugging into the port, whereas Port-Security just checks the Source Frame and away we go. The Host actually needs to be configured for Dot1x as well, or it will not Authenticate, which is a first I believe in Cisco studies thus far.
There are a few names to the Topology above that should be noted here:
- Host = Supplicant
- Switch = Authenticator
- RADIUS Server = Authentication Server
If you’ve never worked with RADIUS, it is an NPS (Network Policy Server) Server Role, that gets configured for VPN authentication for users, or in this case for Dot1x authentication. It is simply an Authentication role on a Windows Server.
Supplicants plugging into a Dot1x configured switchport are using a single physical cable, but are logically divided into “controlled” and “uncontrolled” ports by Dot1x at the switchport, which is handled by Dot1x and doesn’t need manual configuration – Though we do have to handle the configuration of the Supplicant (Host) itself for Dot1x.
The “controlled” port is not allowed to send Data Traffic until the Supplicant has been authenticated by the RADIUS Authentication Server, the “uncontrolled” port is allowed to send EAPOL / STP / CDP traffic to the RADIUS Server to Authenticate the Host.
So “Controlled” ports are used for normal Data Traffic, “Uncontrolled” for Authentication.
One oddity for Dot1x authentication between the Host and the Switch, is that for Data Traffic to be permitted by the switch, only the Host must be configured with Dot1x. If there is no Dot1x configuration on the switch requiring Authentication, the Host goes right on ahead with Data Transmission, as illustrated for total clarity in these cool pics:
So if a PC / Phone (Supplicant) is not stopped at the door for Authentication, it is going to work like nothing is wrong, as if Dot1x were not configured.
Now for some RADIUS Authentication Server / Dot1x Configuration on the switch!
This is kind of a gotcha in real life when configuring Auth Servers on Cisco Devices CLI, as seen here, you don’t get many options until you “unlock” them in the CLI:
Enter configuration commands, one per line. End with CNTL/Z.
new-model Enable NEW access control commands and functions.(Disables OLD
SW1(config)#aaa new-model ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
common-criteria AAA Common Criteria
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
memory AAA memory parameters
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
password Configure password/secret related settings
pod POD processing
policy AAA policy parameters
server Local AAA server
service-profile Service-Profile parameters
session-id AAA Session ID
traceback Traceback recording
user AAA user definitions
We will be coming back to the “aaa authentication …” config shortly.
However I wanted to demonstrate that issuing “aaa new-model” is telling the device you intend to setup authentication, it then gives the commands needed to do so.
Now there are two different ways to configure RADIUS Server, first of which gives a funny message telling you that you’re getting outdated:
SW1(config)#radius-server host 10.0.0.250 key CCIE
Warning: The CLI will be deprecated soon
‘radius-server host 10.0.0.250 key CCIE ‘
Please move to ‘radius server <name>’ CLI.
That is the first time I have ever seen a CLI output tell me I need to get with the times, so I will IOS help my way through using the syntax of ‘radius server …’ :
SW1(config)#radius server ?
WORD Name for the radius server configuration
SW1(config)#radius server RADIUS ?
SW1(config)#radius server RADIUS
RADIUS server sub-mode commands:
address Specify the radius server address
automate-tester Configure server automated testing.
backoff Retry backoff pattern(Default is retransmits with constant
exit Exit from RADIUS server configuration mode
key Per-server encryption key
no Negate a command or set its defaults
non-standard Attributes to be parsed that violate RADIUS standard
pac Protected Access Credential key
retransmit Number of retries to active server (overrides default)
timeout Time to wait (in seconds) for this radius server to reply
ipv4 IPv4 Address
ipv6 IPv6 Address
SW1(config-radius-server)#address ipv4 ?
Hostname or A.B.C.D IPv4 Address of radius server
SW1(config-radius-server)#address ipv4 10.0.0.250 ?
acct-port UDP port for RADIUS accounting server (default is 1646)
alias 1-8 aliases for this server (max. 8)
auth-port UDP port for RADIUS authentication server (default is 1645)
SW1(config-radius-server)#address ipv4 10.0.0.250
%Server already exists with same address port combination.
And so on. That is the equivalent of what was configured initially (as seen by that last piece of output, also different Cisco devices will be configured with different syntax, so keep in mind it may show up in different formats on exam day and on the job.
Next up is configuration is an “aaa authentication”:
SW1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
onep Set authentication lists for ONEP
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
suppress Do not send access request for a specific type of user.
username-prompt Text to use when prompting for a username
SW1(config)#aaa authentication dot1x ?
WORD Named authentication list (max 31 characters, longer will be
default The default authentication list.
SW1(config)#aaa authentication dot1x default ?
cache Use Cached-group
group Use Server-group
local Use local username authentication.
SW1(config)#aaa authentication dot1x default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
SW1(config)#aaa authentication dot1x default group radius ?
cache Use Cached-group
group Use Server-group
local Use local username authentication.
SW1(config)#aaa authentication dot1x default group radius
So the final long winded command for a simple setup is at the very end highlighted in red, however notice there is options to keep configuring groups / users after defining the RADIUS Server Group option, something that may come up later in AAA studies.
The last global config command to enable Dot1x:
auth-fail Set 802.1x Fail Authentication parameter
credentials Configure 802.1X credentials profiles
critical Set 802.1x Critical Authentication parameters
guest-vlan Configure Guest Vlan and 802.1x Supplicant behavior
logging Set logging parameters
supplicant 802.1X supplicant configuration
system-auth-control Enable or Disable SysAuthControl
test Configure dot1x test related parameters
SW1(config)#dot1x system-auth-control ?
I would guess at this point we could go back to the friendly pictures of Green Auth arrows and Blue Data arrows, but its not over yet 🙂
Now to finalize the Dot1x configuration at the interface level (two possible ways!)
On this 3750 there is an equivalent command, I am not sure if “dot1x port-control (type)” will be used on exam day, or this one ON THE INTERFACE:
control-direction Set the control-direction on the interface
event Set action for authentication events
fallback Enable the Webauth fallback mechanism
host-mode Set the Host mode for authentication on this interface
linksec Configure link security parameters
open Enable or Disable open access on this port
order Add an authentication method to the order list
periodic Enable or Disable Reauthentication for this port
port-control Set the port-control value
priority Add an authentication method to the priority list
timer Set authentication timer values
violation Configure action to take on security violations
SW1(config-if)#authentication port-control ?
auto PortState set to automatic
force-authorized PortState set to AUTHORIZED
force-unauthorized PortState set to UnAuthorized
All of these have a <cr> at the end, so I won’t go further into those commands to demo.
One last quick example of the exact commands to enable Dot1X Authentication then apply it on the interfaces using a “port-control” cmd at the interface:
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# dot1x system-auth-control
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Courtesy of DelVonte on Cisco forums cited from this thread.
So that is a good straight forward, no bull, configuration of Dot1X configuration!
However for exam day, as I am running a 15.x imagine, I am not sure if “dot1x port-control …” will be an option, so remember “auth port-control” on the interface if the dot1x command is not working!
To explain the 3 port-control Dot1X options:
- port-control “auto” – Allows host to Authorize via exchange of dot1x messages
- port-control “force-authorized” = Unconditionally authorize the host on this port, requiring no authentication (This is the default for some reason)
- port-control “force-unauthorized” = Unconditionally NEVER authorizes the host so it cannot send traffic to the switchport
THIS PAGE IS NOW OFFICIALLY UNDER CONSTRUCTION UNTIL I CAN RESEARCH DOT1X MORE!
I need to research Dot1X more, and finish my AAA posts up for RADIUS and TACACS+ so I can reconfigure this, and get a full explanation as these will be points on exam day!