IEEE 802.1x Port-Based Authentication: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 11: Line 11:
3.  Authentication Server  
3.  Authentication Server  


The '''client device''', for example a laptop, must be running client software compliant with IEEE 802.1x.  Windows XP, Windows Vista and Windows 7 all offer such software.
The '''client device''', a laptop for example, must be running client software compliant with IEEE 802.1x.  Windows XP, Windows Vista and Windows 7 all offer such software.


The '''authenticator''' can be a ethernet switch and can also come in the form of a wireless access point.
The '''authenticator''' can be a ethernet switch and can also come in the form of a wireless access point.

Revision as of 02:07, 12 May 2010

IEEE 802.1x Port-Based Authentication

IEEE 802.1x is a standard for port-based network access control. It is an authentication method for devices attempting to connect to a LAN. It's purpose is to prevent unauthorized devices from joining and accessing resources on the network.

802.1x authentication involves 3 devices:

1. Client device

2. Authenticator

3. Authentication Server

The client device, a laptop for example, must be running client software compliant with IEEE 802.1x. Windows XP, Windows Vista and Windows 7 all offer such software.

The authenticator can be a ethernet switch and can also come in the form of a wireless access point.

The authentication server is usually a host running software that supports both RADIUS and EAP protocols.

EAP = Extensible Authentication Protocol RADIUS = Remote Authentication Dial In User Service networking protocol

The authenticator prevents the client device from accessing the network until the client device's identity has been authorized. The client device will need to provide credentials, such as a username & password, to the authenticator. The authenticator will forward the credentials to the authentication server for verification. If the credentials supplied are deemed to be valid by the authentication server, the client is allowed to access the network

Once a client device is plugged into a port on the switch (authenticator) the authentication process may begin. The authenticator will transmit EAP-Request Identity frames to the client device. (The client can also initiate authentication by sending a EAPOL-Start frame to the authenticator. The autheticator would then reply with an EAP-Request Identity frame). The client device will respond with a EAP-Response Identity frame that contains identity information such as a username and password. The authenticator will send the response from the client to the authentication server in the form of a RADIUS Access Request packet. At this point the authentication server and client must agree upon an EAP method to use for authentication. Once an agreement is made, EAP requests and Responses are sent between the client and server until the server responds with an EAP-Success message or an EAP-Failure message. Once authentication is successful the authenticator sets the port in the authorized state and traffic is allowed. If authentication is not successful, the port remains in a unauthorized state. When the client decides to log off, it will then send an EAPOL-logoff message to the authenticator and the port is once again set to a unauthorized state.


SWITCH CONFIGURATION for IEEE 802.1x Authentication

Step 1: Enter global configuration mode

Switch# configure terminal

Step 2: Enable AAA

Switch(config)# aaa new-model

Step 3: Create an IEEE 802.1x authentication method list

Switch(config)# aaa authentication dot1x group radius

Step 4: Enable IEEE 802.1x authentication globally on the switch

Switch(config)# dot1x system-auth-control

Step 5: Specify the port connected to the client that you want enabled for IEEE 802.1x authentication

Switch(config)# interface fa0/6

Step 6: Enable IEEE 802.1x authentication on the port

Switch(config-if)# dot1x port-control auto

Use the "show dot1x" command to verify the entries you made and save your configurations.

The following command must also be added to the switch for communication with the Radius Server (authentication server). The command is "radius-server host (hostname | ip address) auth-port (port-number) key (string). Either a hostname or ip address may be entered. For the auth-port, you are to specify the UDP destination port for authentication requests from a range of 0 to 65536. The key string is a text string that must match the encryption key used on the radius server. Below is an example configuration.

Switch(config)# radius-server host 172.16.0.1 auth-port 1520 key ccna123