Cisco 802.1x Concepts and Configuration
Date: Oct 31, 2011
The IEEE 802.1x standard was developed to provide a method to authenticate devices attempting to access a switchport. Access to a switchport in most organizations provides access to the internal network and with this, a direct connection to multiple resources that require a high level of security. The IEEE 802.1x standard is one of the technologies that can be used to provide security in these situations. The standard provides a method to allow traffic to be sent and received over a switchport after an authentication sequence has been performed. Authentication credentials are handled by a central authentication server; once this process has succeeded the switchport will allow traffic as normal. This article takes a look at the different roles that are defined within the standard, a general review of how the process works and a review of how the basic configuration is performed on a Cisco device.
Concepts
There are some basic roles that are defined within the IEEE 802.1x standard:
- Supplicant—The end device that is requesting access to the network
- Authentication Server—The device that is used to perform the actual authentication of the requesting supplicant. The authentication server verifies the credentials of the supplicant and notifies the authenticator to open the switchport upon authentication success.
- Authenticator—The device that directly controls the switchport that connects to the supplicant. The authenticator acts as an intermediary between the supplicant and the authentication server by allowing traffic to be passed between them and acting on authentication success by authorizing a switchport to send traffic.
Each switchport configured to be an IEEE 802.1x supplicant can be in one of two states: unauthorized or authorized. An unauthorized switchport will only allow three types of traffic: Extensible Authentication Protocol over LAN (EAPOL) (used for authentication), Cisco Discovery Protocol (CDP) and Spanning Tree Protocol (STP); once the switchport has successfully authenticated, normal traffic is allowed freely.
Authentication traffic between the supplicant and the authentication server is handled through the Extensible Authentication Protocol (EAP). In LAN environments, the EAP packet is encapsulated in an EAPOL packet transported over the LAN to the authenticator and then re-encapsulated inside a Remote Authentication Dial In User Service (RADIUS) packet. There are a number of different EAP methods that can be used to authenticate, some of these include:
- EAP-MD5—A method that uses a message digest algorithm 5 (MD5) challenge-response for authentication
- PEAP w/MS-CHAP—Protected EAP is an IETF draft that supports many EAP-encapsulating methods within a protected Transport Layer Security (TLS) tunnel.
- LEAP—Lightweight EAP is a Cisco proprietary method that uses mutual authentication to validate a user; authentication occurs through a shared secret.
- EAP-TLS—An IETF standard (RFC2716) that is based on the TLS protocol; operation is similar to LEAP with the exception that EAP-TLS uses public key cryptography instead of shared secrets for authentication. EAP-TLS requires that both the supplicant and authentication server be authenticated.
- EAP-TTLS—Defined in RFVC 5281, EAP-TTLS takes some of the attributes from earlier iterations. EAP-TTLS utilizes a TLS tunnel between the authentication server and the supplicant (like EAP-TLS) and like PEAP has a second tunnel that is used within the first to encapsulate different EAP methods. Unlike EAP-TLS, EAP-TTLS does not require both authentication server and supplicant be authenticated.
- EAP-FAST-EAP—Flexible Authentication via Secure Tunneling was developed by Cisco (RFC4851). EAP-FAST was developed for those organizations looking for a method that utilized strong passwords and did not rely on digital certificates.
Configuration
There are a number of things that must be reviewed before configuring IEEE 802.1x on a Cisco device. On Cisco devices there are three different IEEE 802.1x switchport states to select from; these include:
- Auto—While in this mode, the switchport will begin in an unauthorized state and allow only EAPOL, CDP and STP traffic; once authenticated the switchport will be opened to all normal traffic.
- Forced-Authorized—While in this mode, IEEE 802.1x is essentially disabled as all traffic is allowed. This is the default switchport state.
- Forced-Unauthorized—While in this mode, the port will ignore all traffic including attempts to authenticate.
As will be shown, the final step in a typical IEEE 802.1x configuration is changing the switchport state to Auto.
Another option that is available is altering the switchport host mode. By default, a switchport will only allow a single host to be authenticated at a time. However, this behavior can be altered by changing the switchport host mode. There are a number of different host modes that are supported; these include:
- Single-host—This is the default host mode. While in this mode, the switchport will only allow a single host to be authenticated and to pass traffic at a time
- Multi-auth—While in this mode, multiple devices are allowed to independently authenticate through the same port.
- Multi-domain—While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
- Multi-host—While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.
As shown, there are a number of different ways that IEEE 802.1x can be configured, this article only shows the commands for a basic configuration. More advanced configuration options can be found at Cisco.com.
Table 1 below shows the commands that can be used for basic IEEE 802.1x configuration.
Table 1
|
Step 1 |
Enter privileged mode |
router>enable |
|
Step 2 |
Enter global configuration mode |
router#configure terminal |
|
Step 3 |
Globally enable IEEE 802.1x |
router(config)#dot1x system-auth-control |
|
Step 4 |
Enable AAA |
router(config)#aaa new-model |
|
Step 5 |
Enable IEEE 802.1x AAA authentication |
router(config)#aaa authentication dot1x default group radius |
|
Step 6 |
Enter interface configuration mode |
router(config)#interface interface |
|
Step 7 |
Configure the switchport mode to access |
router(config-if)#switchport mode access |
|
Step 8 |
Configure the switchport to act as the IEEE 802.1x authenticator |
router(config-if)#dot1x pae authenticator |
|
Step 9 |
(Optional) Configure the switchport IEEE 802.1x host mode |
router(config-if)#authentication host-mode [single-host | multi-auth | multi-domain | multi-host] |
|
Step 10 |
Configure the switchport IEEE 802.1x state |
router(config-if)#authentication port-control [auto | force-authorized | force-unauthorized] |
Summary
There are a number of different configuration possibilities that can be used when implementing IEEE 802.1x that enable it to fit into almost any environment and to solve a number of physical switchport security issues. This article only takes a look at the highlights of what is available; those responsible for these areas of an organization's network should take a close look at what is possible with the equipment being used and take advantage of these features. Hopefully, this article has given enough of an introduction to what is possible with IEEE 802.1x and will help in its future use.