Configuring IEEE 802.1x Port-Based Authentication

Similar documents
Configuring 802.1X Port-Based Authentication

Configuring IEEE 802.1X Port-Based Authentication

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring IEEE 802.1x Port-Based Authentication

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Network Edge Authentication Topology

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15SY

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication

IEEE 802.1X RADIUS Accounting

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Configure IBNS 2.0 for Single-Host and Multi- Domain Scenarios

802.1x Configuration Commands

IEEE 802.1X VLAN Assignment

Chapter 4 Configuring 802.1X Port Security

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

802.1x Configuration. FSOS 802.1X Configuration

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

FiberstoreOS. Security Configuration Guide

Configuring 802.1x CHAPTERS. 1. Overview x Configuration 3. Configuration Example 4. Appendix: Default Parameters

Configuring MAC Authentication Bypass

IEEE 802.1X Multiple Authentication

Configure to Secure a Flexconnect AP Switchport with Dot1x

FSOS Security Configuration Guide

IEEE 802.1X Open Authentication

802.1x Configuration. Page 1 of 11

Controlled/uncontrolled port and port authorization status

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1

Auto Identity. Auto Identity. Finding Feature Information. Information About Auto Identity. Auto Identity Overview. Auto Identity, page 1

Configuring Web-Based Authentication

Configuring Port-Based Traffic Control

802.1x Port Based Authentication

Configuring RADIUS Servers

Configuring VLANs. Understanding VLANs CHAPTER

Security Commands. Consolidated Platform Command Reference, Cisco IOS XE 3.3SE (Catalyst 3850 Switches) OL

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Configuring Web-Based Authentication

Operation Manual 802.1x. Table of Contents

Configuring Voice VLAN

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

IEEE 802.1ad Support on Provider Bridges

Configuring Web-Based Authentication

Written by Alexei Spirin Wednesday, 02 January :06 - Last Updated Wednesday, 02 January :24

Figure 1 - Controller-Initiated Web Login Flow

Configuring Command Macros

Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

VLAN Configuration. Understanding VLANs CHAPTER

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Cisco Networking Academy CCNP

Configuring Security for the ML-Series Card

Configuring Port-Based Traffic Control

Configuring Network Admission Control

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Configuring Control-Plane Security

Operation Manual Security. Table of Contents

Configuring DHCP Services for Accounting and Security

Configuring Web-Based Authentication

Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch

Brocade FastIron Flexible Authentication

Index. Numerics. Index 1

Configuring Web-Based Authentication

Cisco ME 3400 Ethernet Access Switch Cisco IOS Commands

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Configuring Port-Based and Client-Based Access Control (802.1X)

Catalyst 4500 Series IOS Commands

Configuring Access and Trunk Interfaces

Configuring Control-Plane Security

RADIUS Change of Authorization

Cisco IOS Quick Reference Guide for IBNS

Configuring VLANs. Understanding VLANs CHAPTER

Configuring Interfaces

IEEE 802.1X with ACL Assignments

Per-User ACL Support for 802.1X/MAB/Webauth Users

Configuring Auto Smartports Macros

RADIUS Change of Authorization Support

accounting (SSID configuration mode) through encryption mode wep

Configuring Interfaces

Verify Radius Server Connectivity with Test AAA Radius Command

Configuring Network Admission Control

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Configuration Guide. For 802.1X VLAN Assignment and MAB. T2600G-28TS _v2_ or Above T2600G-52TS_v2_ or Above

Catalyst 4500 Series IOS Commands

Configuring Port-Based Traffic Control

CCBOOTCAMP Webinar 3/15/2011 CCIE Security / RS x. Tim Rowley CCIE#25960, CCSI#33858, CISSP

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Configuring Port-Based Traffic Control

Configuring VLAN Trunks

Abstract. Avaya Solution & Interoperability Test Lab

Understanding and Configuring Private VLANs

NAC: LDAP Integration with ACS Configuration Example

DHCP Server RADIUS Proxy

Configuring SPAN and RSPAN

Configuring IGMP Snooping and MVR

Configuring VLANs. Understanding VLANs CHAPTER

Transcription:

CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. As LANs extend to hotels, airports, and corporate lobbies and create insecure environments, 802.1x prevents unauthorized devices (clients) from gaining access to the network. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release. Note Some IEEE 802.1x (dot1x Appendix C, Unsupported Commands in Cisco IOS Release 12.2(50)SE. This chapter consists of these sections: Understanding IEEE 802.1x Port-Based Authentication, page 8-1 Configuring IEEE 802.1x Authentication, page 8-10 Displaying IEEE 802.1x Statistics and Status, page 8-24 Understanding IEEE 802.1x Port-Based Authentication Note CDP and STP are supported by default on network node interfaces (NNIs). You can enable CDP and STP on enhanced network interfaces (ENIs). User network nodes (UNIs) do not support CDP or STP. OL-9639-07 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-1

Understanding IEEE 802.1x Port-Based Authentication Chapter 8 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting Attribute-Value Pairs, page 8-5 IEEE 802.1x Host Mode, page 8-6 Using 802.1x Readiness Check, page 8-7 Using IEEE 802.1x with Port Security, page 8-7 Using IEEE 802.1x with VLAN Assignment, page 8-8 802.1x Switch Supplicant with Network Edge Access Topology (NEAT), page 8-9 Device Roles With IEEE 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 8-1. Figure 8-1 IEEE 802.1x Device Roles Workstations (clients) Authentication server (RADIUS) 101229 Client the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant the Microsoft Knowledge Base article at this URL: http://support.microsoft.com/support/kb/articles/q303/5/97.asp Authentication server 8-2

Switch server s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. Authentication Initiation and Message Exchange dot1x port-control auto 8-3

Message Exchange Client Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP EAP-Response/OTP EAP-Success RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized 101228 Ports in Authorized and Unauthorized States unauthorized authorized force-authorized force-unauthorized auto 8-4

IEEE 802.1x Accounting IEEE 802.1x Accounting Attribute-Value Pairs Table 8-1 Accounting AV Pairs Attribute number Attribute[1] Attribute[4] Attribute[5] Attribute[6] Attribute[8] Attribute[25] Attribute[30] Attribute[31] AV pair name User-Name NAS-IP-Address NAS-Port NAS-Port-Type Framed-IP-Address Class Called-Station-ID Calling-Station-ID 8-5

Accounting AV Pairs (continued) debug aaa accounting Cisco IOS Debug Command Reference, Release 12.2 debug radius accounting IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines, for more information about AV pairs. IEEE 802.1x Host Mode 8-6

Figure 8-3 Multiple Host Mode Example Access point Authentication server (RADIUS) Wireless clients 101227 Using 802.1x Readiness Check Using IEEE 802.1x with Port Security switchport port-security 8-7

no switchport port-security mac-address mac-address interface-id dot1x re-authenticate interface dot1x violation-mode Using IEEE 802.1x with VLAN Assignment

Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication network [64] Tunnel-Type = VLAN [65] Tunnel-Medium-Type = 802 [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute[64] must contain the value VLAN 802 VLAN name VLAN ID 802.1x Switch Supplicant with Network Edge Access Topology (NEAT) group user device-traffic-class=switch OL-9639-07 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-9

Figure 8-4 Authenticator and Supplicant Switch using CISP 2 3 4 1 5 205718 1 2 3 4 5 Configuring IEEE 802.1x Authentication 8-10

Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Default IEEE 802.1x Configuration Default IEEE 802.1x Configuration Feature Default Setting OL-9639-07 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

Configuring IEEE 802.1x Authentication Chapter 8 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x Configuration Guidelines Maximum Number of Allowed Devices Per Port Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07

Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring 802.1x Readiness Check Step 1 Command Purpose Note Step 1 Step 2 Step 3 Step 4 switch# dot1x test eapol-capable interface gigabitethernet1/0/13 DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable OL-9639-07 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

Configuring IEEE 802.1x Authentication Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Violation Modes Command Purpose Step 1 Step 2 Step 3 { } Create an IEEE 802.1x authentication method list. To create a default list that is used when a named list is specified in the command, use the keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports. For, enter the keywords to use the list of all RADIUS servers for authentication. Though other keywords are visible in the command-line help string, only the keywords are supported. Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode. Step 5 Step 6 } Step 7 Step 8 Step 9 Configure the violation mode. The keywords have these meanings: Error disable the port. Generate a syslog error. Drop packets from any new device that sends traffic to the port. Configuring IEEE 802.1x Authentication Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07

Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 1 Step 2 Step 3 Command Purpose Note Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 OL-9639-07 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

Configuring IEEE 802.1x Authentication Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring the Switch-to-RADIUS-Server Communication rad123 Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07

; the default is 3600 seconds. This command affects the behavior of the switch only if periodic re-authentication is enabled. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. dot1x reauthentication dot1x timeout reauth-period 4000 dot1x re-authenticate interface gigabitethernet0/1

Changing the Quiet Period dot1x timeout quiet-period Enter global configuration mode. Specify the port to be configured, and enter interface configuration mode. Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. no dot1x timeout quiet-period dot1x timeout quiet-period 30 You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional. Enter global configuration mode. Specify the port to be configured, and enter interface configuration mode. Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535 seconds; the default is 30.

To return to the default retransmission time, use the interface configuration command. This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request: Setting the Switch-to-Client Frame-Retransmission Number Note dot1x max-req 5

dot1x max-reauth-req 4

interface gigabitethernet0/1 dot1x port-control auto dot1x host-mode multi-host Accounting message %s for session %s failed to receive Accounting Response. 00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding.

Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius

Switch# configure terminal Switch(config)# cisp enable Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode access authentication port-control auto dot1x pae authenticator spanning-tree portfast trunk

Displaying IEEE 802.1x Statistics and Status Step 12 Command Purpose Step 13 password myswitch Displaying IEEE 802.1x Statistics and Status

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback