Security Configuration Guide, Cisco DCNM for LAN, Release 5.x
Configuring 802.1X
Downloads: This chapterpdf (PDF - 615.0KB) The complete bookPDF (PDF - 4.35MB) | Feedback

Configuring 802.1X

Contents

Configuring 802.1X

This chapter describes how to configure IEEE 802.1X port-based authentication on Cisco NX-OS devices.

This chapter includes the following sections:

Information About 802.1X

802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a Cisco NX-OS device port.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Device Roles

With 802.1X port-based authentication, the devices in the network have specific roles.

This figure shows the device roles in 802.1X.
Figure 1. 802.1X Device Roles



The specific roles are as follows:

Supplicant

The client device that requests access to the LAN and Cisco NX-OS device services and responds to requests from the Cisco NX-OS device. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating device.


Note


To resolve Windows XP network connectivity and Cisco 802.1X port-based authentication issues, read the Microsoft Knowledge Base article at this URL: http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP


Authentication server
The authentication server performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the Cisco NX-OS device regarding whether the supplicant is authorized to access the LAN and Cisco NX-OS device services. Because the Cisco NX-OS device acts as the proxy, the authentication service is transparent to the supplicant. The Remote Authentication Dial-In User Service (RADIUS) security device with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server, version 3.0. RADIUS uses a supplicant-server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Authenticator
The authenticator controls the physical access to the network based on the authentication status of the supplicant. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication server, requesting identity information from the supplicant, verifying the requested identity information with the authentication server, and relaying a response to the supplicant. The authenticator includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.

When the authenticator receives EAPOL frames and relays them to the authentication server, the authenticator strips off the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format. This encapsulation process does not modify or examine the EAP frames, and the authentication server must support EAP within the native frame format. When the authenticator receives frames from the authentication server, the authenticator removes the server’s frame header, leaving the EAP frame, which the authenticator then encapsulates for Ethernet and sends to the supplicant.


Note


The Cisco NX-OS device can only be an 802.1X authenticator.


Authentication Initiation and Message Exchange

Either the authenticator (Cisco NX-OS device) or the supplicant (client) can initiate authentication. If you enable authentication on a port, the authenticator must initiate authentication when it determines that the port link state transitions from down to up. The authenticator then sends an EAP-request/identity frame to the supplicant to request its identity (typically, the authenticator sends an initial identity/request frame followed by one or more requests for authentication information). When the supplicant receives the frame, it responds with an EAP-response/identity frame.

If the supplicant does not receive an EAP-request/identity frame from the authenticator during bootup, the supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the authenticator to request the supplicant’s identity.


Note


If 802.1X is not enabled or supported on the network access device, the Cisco NX-OS device drops any EAPOL frames from the supplicant. If the supplicant does not receive an EAP-request/identity frame after three attempts to start authentication, the supplicant transmits data as if the port is in the authorized state. A port in the authorized state means that the supplicant has been successfully authenticated.


When the supplicant supplies its identity, the authenticator begins its role as the intermediary, passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails. If the authentication succeeds, the authenticator port becomes authorized.

The specific exchange of EAP frames depends on the authentication method being used.

This figure shows a message exchange initiated by the supplicant using the One-Time-Password (OTP) authentication method with a RADIUS server. The OTP authentication device uses a secret pass-phrase to generate a sequence of one-time (single use) passwords.
Figure 2. Message Exchange

The user’s secret pass-phrase never crosses the network at any time such as during authentication or during pass-phrase changes.

Ports in Authorized and Unauthorized States

The authenticator port state determines if the supplicant is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. When a supplicant is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the supplicant to flow normally.

If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the authenticator requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.

In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.

Ports can have the following authorization states:

Force authorized
Disables 802.1X port-based authentication and transitions to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of the client. This authorization state is the default.
Force unauthorized
Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The authenticator cannot provide authentication services to the client through the interface.
Auto
Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received from the supplicant. The authenticator requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each supplicant that attempts to access the network is uniquely identified by the authenticator by using the supplicant’s MAC address.

If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated supplicant are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the authenticator can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and the supplicant is not granted network access.

When a supplicant logs off, it sends an EAPOL-logoff message, which causes the authenticator port to transition to the unauthorized state.

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.

MAC Authentication Bypass

You can configure the Cisco NX-OS device to authorize a supplicant based on the supplicant MAC address by using the MAC authentication bypass feature. For example, you can enable this feature on interfaces configured for 802.1X that are connected to devices such as printers.

If 802.1X authentication times out while waiting for an EAPOL response from the supplicant, the Cisco NX-OS device tries to authorize the client by using MAC authentication bypass.

When you enable the MAC authentication bypass feature on an interface, the Cisco NX-OS device uses the MAC address as the supplicant identity. The authentication server has a database of supplicant MAC addresses that are allowed network access. After detecting a client on the interface, the Cisco NX-OS device waits for an Ethernet packet from the client. The Cisco NX-OS device sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the Cisco NX-OS device grants the client access to the network. If authorization fails, the Cisco NX-OS device assigns the port to the guest VLAN if one is configured.

If an EAPOL packet is detected on the interface during the lifetime of the link, the Cisco NX-OS device determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.

If the Cisco NX-OS device already authorized an interface by using MAC authentication bypass and detects an 802.1X supplicant, the Cisco NX-OS device does not unauthorize the client connected to the interface. When reauthentication occurs, the Cisco NX-OS device uses 802.1X authentication as the preferred reauthentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.

Clients that were authorized with MAC authentication bypass can be reauthenticated. The reauthentication process is the same as that for clients that were authenticated with 802.1X. During reauthentication, the port remains in the previously assigned VLAN. If reauthentication is successful, the switch keeps the port in the same VLAN. If reauthentication fails, the switch assigns the port to the guest VLAN, if one is configured.

If reauthentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during reauthentication. If MAC authentication bypass is enabled and the 802.1X authentication times out, the switch uses the MAC authentication bypass feature to initiate reauthorization. For more information about these AV pairs, see RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.

MAC authentication bypass interacts with the following features:


  • 802.1X authentication—You can enable MAC authentication bypass only if 802.1X authentication is enabled on the port.

  • Port security— You can configure 802.1X authentication and port security on the same Layer 2 ports.

  • Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1X port is authenticated with MAC authentication bypass, including hosts in the exception list.

Related Concepts

802.1X and Port Security

You can configure port security and 802.1X on the same interfaces of a Cisco Nexus 7000 Series Switch. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:

Single host mode

Port security learns the MAC address of the authenticated host.

Multiple host mode

Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows:

Absolute

Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.

Inactivity

Port security drops the secure address from the list of secure addresses for the interface and notifies 802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.

Single Host and Multiple Hosts Support

The 802.1X feature can restrict traffic on a port to only one endpoint device (single-host mode) or allow traffic from multiple endpoint devices on a port (multi-host mode).

Single-host mode allows traffic from only one endpoint device on the 802.1X port. Once the endpoint device is authenticated, the Cisco NX-OS device puts the port in the authorized state. When the endpoint device leaves the port, the Cisco NX-OS device put the port back into the unauthorized state. A security violation in 802.1X is defined as a detection of frames sourced from any MAC address other than the single MAC address authorized as a result of successful authentication. In this case, the interface on which this security association violation is detected (EAPOL frame from the other MAC address) will be disabled. Single host mode is applicable only for host-to-switch topology and when a single host is connected to the Layer 2 (Ethernet access port) or Layer 3 port (routed port) of the Cisco NX-OS device.

Only the first host has to be authenticated on the 802.1X port configured with multiple host mode. The port is moved to the authorized state after the successful authorization of the first host. Subsequent hosts are not required to be authorized to gain network access once the port is in the authorized state. If the port becomes unauthorized when reauthentication fails or an EAPOL logoff message is received, all attached hosts are denied access to the network. The capability of the interface to shut down upon security association violation is disabled in multiple host mode. This mode is applicable for both switch-to-switch and host-to-switch topologies.

Supported Topologies

The 802.1X port-based authentication is supported in two topologies:


  • Point-to-point

  • Wireless LAN

In a point-to-point configuration, only one supplicant (client) can connect to the 802.1X-enabled authenticator (Cisco NX-OS device) port. The authenticator detects the supplicant when the port link state changes to the up state. If a supplicant leaves or is replaced with another supplicant, the authenticator changes the port link state to down, and the port returns to the unauthorized state.

This figure shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured as a multiple-host port that becomes authorized as soon as one supplicant is authenticated.
Figure 3. Wireless LAN Example

When the port is authorized, all other hosts indirectly attached to the port are granted access to the network. If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the Cisco NX-OS device denies access to the network to all of the attached supplicants.

Licensing Requirements for 802.1X

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco DCNM

802.1X requires a LAN Enterprise license. For an explanation of the Cisco DCNM licensing scheme and how to obtain and apply licenses, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

802.1X requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.

Prerequisites for 802.1X

The following prerequisites are required for using this feature on Cisco DCNM. For a full list of feature-specific prerequisites, see the platform-specific documentation.


  • System-message logging levels for 802.1X must meet or exceed Cisco DCNM requirements. During device discovery, Cisco DCNM detects inadequate logging levels and raises them to the minimum requirements. Cisco Nexus 7000 Series switches that run Cisco NX-OS Release 4.0 are an exception. For Cisco NX-OS Release 4.0, prior to device discovery, use the command-line interface to configure logging levels to meet or exceed Cisco DCNM requirements. For more information, see the .

Platform Support for 802.1X

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring 802.1X

This section describes how to configure the 802.1X feature.

Process for Configuring 802.1X

This section describes the process for configuring 802.1X.

Procedure
Step 1   Enable the 802.1X feature.
Step 2   Configure the connection to the remote RADIUS server.
Step 3   Enable 802.1X feature on the Ethernet interfaces.

Enabling the 802.1X Service

You must enable the 802.1X service on the device before authenticating any supplicant devices.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   From the menu bar, choose Action > Enable 802.1X Service.
Step 4   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling the 802.1X Feature on an Interface

You must enable the 802.1X feature on the interfaces you want to use for 802.1X authentication.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   From the Interface Settings tab, click Enable Dot1X.
Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

Controlling 802.1X Authentication on an Interface

You can control the 802.1X authentication performed on an interface. An interface can have the following 802.1X authentication states:

Auto
Enables 802.1X authentication on the interface.
Force-authorized
Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. This state is the default.
Force-unauthorized
Disallows all traffic on the interface.
Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   From the Port Control drop-down list, choose the port control type.
Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling Global Periodic Reauthentication

You can enable global periodic 802.1X reauthentication and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication attempts is 3600 (1 hour).


Note


During the reauthentication process, the status of an already authenticated supplicant is not disrupted.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   Click the Global Settings tab.
Step 4   Click General.
Step 5   Check Enable Re-authentication.
Step 6   (Optional) In the Re-auth Period(secs), enter the number of seconds between period reauthentication for supplicants on the interface. The default is 3600 seconds (10 hours).
Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling Periodic Reauthentication for an Interface

You can enable periodic 802.1X reauthentication on an interface and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication defaults to the global value.


Note


During the reauthentication process, the status of an already authenticated supplicant is not disrupted.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   Check Enable Re-authentication.
Step 8   (Optional) In the Re-auth Period(secs), enter the number of seconds between period reauthentication for supplicants on the interface. The default is the global setting.
Step 9   From the menu bar, choose File > Deploy to apply your changes to the device.

Changing Global 802.1X Authentication Timers

The following global 802.1X authentication timers are supported on the device:

Quiet-period time
When the device cannot authenticate the supplicant, the device remains idle for a set period of time, and then tries again. The quiet-period timer value determines the idle period. An authentication failure might occur because the supplicant provided an invalid password. You can provide a faster response time to the user by entering a number smaller than the default. The default is 60 seconds. The range is from 1 to 65535.
Switch-to-supplicant retransmission period timer
The client responds to the EAP-request/identity frame from the device with an EAP-response/identity frame. If the device does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame. The default is 30. The range is from 1 to 65535 seconds.

Note


You can also configure the quiet-period timer and switch-to-supplicant transmission period timer at the interface level.



Note


You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   Click the Global Settings tab.
Step 4   Click Timers.
Step 5   (Optional) In the Quiet Period(secs) field, enter the number of seconds for the quiet-period timer. The default is 60 seconds.
Step 6   (Optional) In the TX Period(secs) field, enter the number of seconds for the switch-to-supplicant retransmission timer. The default is 30 seconds.
Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

Changing 802.1X Authentication Timers for an Interface

You can change the following 802.1X authentication timers on the device interfaces:

Quiet-period time
When the Cisco NX-OS device cannot authenticate the supplicant, the switch remains idle for a set period of time and then tries again. The quiet-period timer value determines the idle period. An authentication failure might occur because the supplicant provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. The default is the value of the global quiet period timer. The range is from 1 to 65535 seconds.
Rate-limit timer
The rate-limit period throttles EAPOL-Start packets from supplicants that are sending too many EAPOL-Start packets. The authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated for the rate-limit period duration. The default value is 0 seconds and the authenticator processes all EAPOL-Start packets. The range is from 1 to 65535 seconds.
Switch-to-authentication-server retransmission timer for Layer 4 packets
The authentication server notifies the switch each time that it receives a Layer 4 packet. If the switch does not receive a notification after sending a packet, the Cisco NX-OS device waits a set period of time and then retransmits the packet. The default is 30 seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP response frames
The supplicant responds to the EAP-request/identity frame from the Cisco NX-OS device with an EAP-response/identity frame. If the Cisco NX-OS device does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame. The default is 30 seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP request frame
Switch-to-supplicant retransmission timer for EAP request frames—The supplicant notifies the Cisco NX-OS device that it received the EAP request frame. If the authenticator does not receive this notification, it waits a set period of time and then retransmits the frame. The default is the value of the global retransmission period timer. The range is from 1 to 65535 seconds.

Note


You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click Timers.
Step 7   (Optional) In the Quiet Period(secs) field, enter the number of seconds for the quiet-period timer. The default is the global setting.
Step 8   (Optional) In the TX Period(secs) field, enter the number of seconds for the switch-to-supplicant retransmission timer for EAP request frames. The default is the global setting.
Step 9   (Optional) (Optional) In the Supplicant Period(secs) field, enter the number of seconds for the switch-to-supplicant retransmission timer for EAP response frames interval. The default is the value of the global quiet period timer.
Step 10   (Optional) In the Server Period(secs) field, enter the number of seconds for the switch-to-authentication-server retransmission timer for Layer 4 packets.

The default is 30 seconds.

Step 11   (Optional) In the Rate Limit Period(secs) field, enter the number of seconds for the rate-limit timer. The default value is 0 seconds and the authenticator processes all EAPOL-Start packets.
Step 12   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling Single Host or Multiple Hosts Mode

You can enable single host or multiple hosts mode on an interface.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   From the Host Mode drop-down list, choose Single or Multiple. The default is Single.
Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling MAC Address Authentication Bypass

You can enable MAC address authentication bypass on an interface that has no supplicant connected.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   Check the Mac-auth-bypass check box. The default is disabled.
Step 8   (Optional) Check the EAP Authentication check box to enable MAC authentication bypass for EAP authentication.
Step 9   From the menu bar, choose File > Deploy to apply your changes to the device.

Disabling 802.1X Authentication on the Device

You can disable 802.1X authentication on the device. By default, the Cisco NX-OS software enables 802.1X authentication after you enable the 802.1X feature. However, when you disable the 802.1X feature, the configuration is removed from the device. The Cisco NX-OS software allow you to disable 802.1X authentication without losing the 802.1X configuration.


Note


When you disable 802.1X authentication, the port mode for all interfaces defaults to force-authorized regardless of the configured port mode. When you reenable 802.1X authentication, the Cisco NX-OS software restores the configured port mode on the interfaces.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   Click the Global Settings tab.
Step 4   Click General.
Step 5   Uncheck Sys Auth Enable.

The default is enabled.

Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

Disabling the 802.1X Feature

You can disable the 802.1X feature on the device.


Caution


Disabling 802.1X removes all 802.1X configuration from the device.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   From the menu bar, choose Dot1X > Disable 802.1X.
Step 4   From the menu bar, choose File > Deploy to apply your changes to the device.

Setting Global Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count

In addition to changing the authenticator-to-supplicant retransmission time, you can set the number of times that the device sends an EAP-request/identity frame (assuming no response is received) to the supplicant before restarting the authentication process.


Note


You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   Click the Global Settings tab.
Step 4   Click General.
Step 5   In the Max Request field, enter the maximum request retry count. The default is 2.
Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

Configuring the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface

You can configure the maximum number of times that the device retransmits authentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   In the Max Request field, enter the maximum request retry count. The default is 2.
Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

Enabling RADIUS Accounting for 802.1X Authentication

You can enable RADIUS accounting for the 802.1X authentication activity.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   Click the Global Settings tab.
Step 4   Click General.
Step 5   Check RADIUS Accounting. The default is disabled.
Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

Configuring AAA Accounting Methods for 802.1X

You can enable AAA accounting methods for the 802.1X feature.

Procedure
Step 1   From the Feature Selector pane, choose Security > AAA > Rules.
Step 2   From the Summary table pane, click the expand icon by the device to display the list of rules.
Step 3   Click Accounting Rules.
Step 4   Click the expand icon by Accounting Rules.
Step 5   From the menu bar, choose Rules > Add Rule. A new default rule appears in the list and the Authentication Rules tab appears in the Details pane.
Step 6   From the Service Type drop-down list, choose Dot1x.
Step 7   (Optional) Double-click the cell under Type in the new method. Group appears in the method cell.
Step 8   Double-click the method cell under Server Group Name.
Step 9   Enter the server group name or choose a server group name from the drop-down list and click OK.
Step 10   (Optional)To add more methods, right-click on a method, choose Add Method from the pop-up menu, and repeat Step 6 through Step 8 for the new method.
Step 11   From the menu bar, choose File > Deploy to apply your changes to the device.

Setting the Maximum Reauthentication Retry Count on an Interface

You can set the maximum number of times that the device retransmits reauthentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, double-click a device to display the slots.
Step 3   Double-click a slot to display the interfaces.
Step 4   Click an interface.
Step 5   Click the Interface Settings tab.
Step 6   Click General.
Step 7   In the Max Reauth Request field, enter the maximum reauthentication request retry count. The default is 2.
Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

Displaying 802.1X Statistics

You can display the statistics that the device maintains for the 802.1X activity.

Procedure
Step 1   From the Feature Selector pane, choose Security > Dot1X.
Step 2   From the Summary pane, click a device.
Step 3   From the Details pane, click the Statistics tab for 802.1X statistics for the device.
Step 4   From the Summary pane, double-click a device to display the slots.
Step 5   Double-click a slot to display the interfaces.
Step 6   Click an interface.
Step 7   From the Details pane, click the Statistics tab to display 802.1X statistics for the interface.

Field Descriptions for 802.1X

This section includes field descriptions for the 802.1X feature in Cisco DCNM.

Security: Dot1X: Summary Pane

Table 1 Security: Dot1X: Summary Pane

Element

Description

Interface Name

Displays the name of the notifies.

Description

Displays the description of the interfaces.

Dot1x State

Displays the 802.1X status for the interfaces.

Host Mode

Host mode for 802.1X on the interfaces, either single or multiple. The default is single.

Port Control

802.1X authentication on the interfaces. The default is force authorized.

Oper Status

Displays the operating status for the interfaces.

Security: Dot1X: device: Global Settings Tab: General

Table 2  Security: Dot1X: device: Global Settings Tab: General

Element

Description

Sys Auth Enable

Enables or disables 802.1X authentication for the entire device without removing the configuration. The default is enabled.

Radius Accounting

Enables or disables RADIUS accounting for 802.1X using the AAA accounting configuration for the 802.1X accounting rule. The default is disabled.

Max Request

Maximum number of times that the device sends an EAP-request/identity frame (assuming no response is received) to the supplicant before restarting the authentication process. The default is 2.

Enable Re-authentication

Enables or disables global supplicant reauthentication. The default is disabled.

Re-auth Period(secs)

Period for automatic reauthentication of supplicants. The default is 3600 seconds (60 minutes).

Security: Dot1X: device: Global Settings Tab: Timers

Table 3  Security: Dot1X: device: Global Settings Tab: Timers

Element

Description

Quiet Period(secs)

Number of seconds between attempts by the device to authenticate the supplicant. The default is 60 seconds.

TX Period(secs)

Retransmission time during which the device waits after it sends an EAP-request/identity frame before it receives an EAP-response/identity frame from the client and then retransmits the request frame. The default is 30 seconds.

Security: Dot1X: device: slot: interface: Interface Settings Tab: General

Table 4  Security: Dot1X: device: slot: interface: Interface Settings Tab: General

Element

Description

Interface Name

Displays the type and location of the interface.

Description

Displays the interface description.

Host Mode

Host mode for 802.1X, either single or multiple. The default is single.

Port Control

802.1X authentication on the interface. The default is force authorized.

PAE Type

Displays the device role.

Mac-Auth-Bypass

Enables or disables MAC address authentication bypass. The default is disabled.

EAP Authentication

Enables or disables EAP authentication for MAC address authentication bypass. The default is disabled.

Oper Status

Displays the operation status for the interface.

Max Reauth Request

Maximum number of times that the device retransmits reauthentication requests to the supplicant on an interface before the session times out. The default is 2.

Max Request

Maximum number of times that the device sends an EAP-request/identity frame (assuming no response is received) to the supplicant before restarting the authentication process. The default is 2.

Enable Re-authentication

Enables or disables global supplicant reauthentication. The default is disabled.

Re-auth Period(secs)

Time period for automatic reauthentication of supplicants. The default is 3600 seconds (60 minutes).

Security: Dot1X: device: slot: interface: Interface Settings Tab: Timers

Table 5 Security: Dot1X: device: slot: interface: Interface Settings Tab: Timers

Element

Description

Quiet Period(secs)

Number of seconds between attempts by the device to authenticate the supplicant. The default is 60 seconds.

TX Period(secs)

Retransmission time during which the device waits after it sends an EAP-request/identity frame before it receives an EAP-response/identity frame from the client and then retransmits the request frame. The default is 30 seconds.

Supplicant Period(secs)

Number of seconds for the switch-to-supplicant retransmission for EAP response frames interval. The default is 30 seconds.

Server Period(secs)

Number of seconds for the switch-to-authentication-server retransmission for Layer 4 packets. The default is 30 seconds.

Rate Limit Period(secs)

Number of seconds for the rate limit timer. The rate limit timer throttles the EAPOL-Start packets from supplicants that are sending too many EAPOL-Start packets. The authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated for the rate-limit period duration. The default value is 0 seconds and the authenticator processes all EAPOL-Start packets.

Additional References for 802.1X

This section includes additional information related to implementing 802.1X.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

Cisco DCNM Licensing

Cisco DCNM Installation and Licensing Guide, Release 5.x

Command reference

VRF configuration

Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.x

Standards

Standards

Title

IEEE Std 802.1X- 2004 (Revision of IEEE Std 802.1X-2001)

802.1X IEEE Standard for Local and Metropolitan Area Networks Port-Based Network Access Control

RFC 2284

PPP Extensible Authentication Protocol (EAP)

RFC 3580

IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines

MIBs

MIBs

MIBs Link


  • IEEE8021-PAE-MIB

To locate and download MIBs, go to the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Feature History for 802.1X

This table lists the release history for this feature:
Table 6  Feature History for 802.1X

Feature Name

Releases

Feature Information

802.1X

5.2(1)

No change from Release 5.1.

802.1X

5.1(1)

No change from Release 5.0.

802.1X

5.0(2)

No change from Release 4.2.