IEEE 802.1x Port-Based Authentication
IEEE 802.1x Port-Based Authentication
IEEE 802.1x is a standard for port-based network access control. It is an authentication method for devices attempting to connect to a LAN. It's purpose is to prevent unauthorized devices from joining and accessing resources on the network.
802.1x authentication involves 3 devices:
1. Client device
2. Authenticator
3. Authentication Server
The client device, a laptop for example, must be running client software compliant with IEEE 802.1x. Windows XP, Windows Vista and Windows 7 all offer such software.
The authenticator can be a ethernet switch and can also come in the form of a wireless access point.
The authentication server is usually a host running software that supports both RADIUS and EAP protocols.
EAP = Extensible Authentication Protocol RADIUS = Remote Authentication Dial In User Service networking protocol
The authenticator prevents the client device from accessing the network until the client device's identity has been authorized. The client device will need to provide credentials, such as a username & password, to the authenticator. The authenticator will forward the credentials to the authentication server for verification. If the credentials supplied are deemed to be valid by the authentication server, the client is allowed to access the network
Once a client device is plugged into a port on the switch (authenticator) the authentication process may begin. The authenticator will transmit EAP-Request Identity frames to the client device. (The client can also initiate authentication by sending a EAPOL-Start frame to the authenticator. The autheticator would then reply with an EAP-Request Identity frame). The client device will respond with a EAP-Response Identity frame that contains identity information such as a username and password. The authenticator will send the response from the client to the authentication server in the form of a RADIUS Access Request packet. At this point the authentication server and client must agree upon an EAP method to use for authentication. Once an agreement is made, EAP requests and Responses are sent between the client and server until the server responds with an EAP-Success message or an EAP-Failure message. Once authentication is successful the authenticator sets the port in the authorized state and traffic is allowed. If authentication is not successful, the port remains in a unauthorized state. When the client decides to log off, it will then send an EAPOL-logoff message to the authenticator and the port is once again set to a unauthorized state.
SWITCH CONFIGURATION for IEEE 802.1x Authentication
Step 1: Enter global configuration mode
Switch# configure terminal
Step 2: Enable AAA
Switch(config)# aaa new-model
Step 3: Create an IEEE 802.1x authentication method list
Switch(config)# aaa authentication dot1x group radius
Step 4: Enable IEEE 802.1x authentication globally on the switch
Switch(config)# dot1x system-auth-control
Step 5: Specify the port connected to the client that you want enabled for IEEE 802.1x authentication
Switch(config)# interface fa0/6
Step 6: Enable IEEE 802.1x authentication on the port
Switch(config-if)# dot1x port-control auto
Use the "show dot1x" command to verify the entries you made and save your configurations.
The following command must also be added to the switch for communication with the Radius Server (authentication server). The command is "radius-server host (hostname | ip address) auth-port (port-number) key (string). Either a hostname or ip address may be entered. For the auth-port, you need to specify the UDP destination port for authentication requests within the range of 0 to 65536. The key string is a text string that must be the same as the encryption key used on the radius server. Below is an example configuration.
Switch(config)# radius-server host 172.16.0.1 auth-port 1520 key ccna123