Networking Software (IOS & NX-OS)

Table Of Contents

IEEE 802.1x—Flexible Authentication

Finding Feature Information

Contents

Prerequisites for IEEE 802.1x—Flexible Authentication

Restrictions for IEEE 802.1x—Flexible Authentication

Information About IEEE 802.1x—Flexible Authentication

Overview of the Cisco IOS Auth Manager

Authentication Methods

Host Mode Authentication

Authentication Order and Authentication Priority

How to Configure IEEE 802.1x—Flexible Authentication

Configuring Authentication Order

Troubleshooting Tips

Configuring Authentication Priority

Prerequisites

Configuration Examples for IEEE 802.1x—Flexible Authentication

Flexible Authentication: Example

Additional References

Related Documents

MIBs

RFCs

Technical Assistance

Feature Information for IEEE 802.1x—Flexible Authentication

IEEE 802.1x—Flexible Authentication

---

First Published: November 11, 2008

Last Updated: March 30, 2011

The IEEE 802.1x—Flexible Authentication feature provides a means of assigning authentication methods to ports and specifying the order in which the methods are executed when an authentication attempt fails. Using this feature, you can control which ports use which authentication methods, and you can control the failover sequencing of methods on those ports.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IEEE 802.1x—Flexible Authentication" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for IEEE 802.1x—Flexible Authentication

•Restrictions for IEEE 802.1x—Flexible Authentication

•Information About IEEE 802.1x—Flexible Authentication

•How to Configure IEEE 802.1x—Flexible Authentication

•Configuration Examples for IEEE 802.1x—Flexible Authentication

•Additional References

•Feature Information for IEEE 802.1x—Flexible Authentication

Prerequisites for IEEE 802.1x—Flexible Authentication

IEEE 802.1x—Port-Based Network Access Control

You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.

Before you can use the IEEE 802.1x—Flexible Authentication feature, the switch must be connected to a Cisco secure ACS and RADIUS authentication, authorization, and accounting (AAA) must be configured for Web authentication. If appropriate, you must enable ACL download.

If the authentication order includes the 802.1x port authentication method, you must enable IEEE 802.1x authentication on the switch.

If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.

RADIUS and ACLs

You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.

The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the Configuration Guide for CISCO Secure ACS.

Restrictions for IEEE 802.1x—Flexible Authentication

In Cisco IOS Release 12.2(33)SXI, the web authentication method cannot fail over to the 802.1x or the MAB authentication method. So, when you configure authentication order, no other authentication method can follow web authentication.

Information About IEEE 802.1x—Flexible Authentication

To set up IEEE 802.1x—Flexible Authentication, you should understand the following concepts:

•Overview of the Cisco IOS Auth Manager

•Authentication Methods

•Host Mode Authentication

•Authentication Order and Authentication Priority

Overview of the Cisco IOS Auth Manager

The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies, regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and as such, serves as a session manager.

The possible states for Auth Manager sessions are:

•Idle—In the idle state, the authentication session has been initialized, but no methods have yet been run. This is an intermediate state.

•Running—A method is currently running. This is an intermediate state.

•Authc Success— The authentication method has run successfully. This is an intermediate state.

•Authc Failed—The authentication method has failed. This is an intermediate state.

•Authz Success—All features have been successfully applied for this session. This is a terminal state.

•Authz Failed—At least one feature has failed to be applied for this session. This is a terminal state.

•No methods—No method provided a result for this session. This is a terminal state.

Authentication Methods

The IEEE 802.1x—Flexible Authentication feature supports three authentication methods:

•dot1x—IEEE 802.1x authentication is a Layer 2 authentication method.

•mab—MAC-Authentication Bypass is a Layer 2 authentication method.

•webauth—Web authentication is a Layer 3 authentication method.

Host Mode Authentication

The IEEE 802.1x—Flexible Authentication feature supports two new host modes:

•multi-auth—Multiauthentication allows one authentication on a voice VLAN and multiple authentications on the data VLAN.

•multi-domain—Multidomain authentication allows two authentications: one on the voice VLAN and one of the data VLAN.

The IEEE 802.1x—Flexible Authentication feature also supports single-host and multiple-host authentications.

Authentication Order and Authentication Priority

The IEEE 802.1x—Flexible Authentication feature enables authentication order and authentication priority. The authentication order command sets the default authentication priority. You can use the authentication priority command to override the default authentication priority. For example, you might specify an authentication order of MAB and 802.1x. However, after authorization, you might not want to ignore subsequent 802.1x handshakes. In this case, you can give the 802.1x authentication method a higher priority than the MAB method.

How to Configure IEEE 802.1x—Flexible Authentication

This section contains the following tasks:

•Configuring Authentication Order

•Configuring Authentication Priority

Configuring Authentication Order

Authentication order is configured on individual ports to control which ports use which authentication methods. Perform the steps described in this section to configure authentication order.

SUMMARY STEPS

1. enable

2. configure terminal

3. dot1x system-auth-control

4. interface type slot/port

5. switchport

6. switchport mode access

7. switchport access vlan vlan-id

8. mab [eap]

9. authentication port-control {auto | force-authorized | fort unauthorized}

10. authentication fallback profile

11. authentication order {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth}

12. dot1x pae authenticator

13. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Switch> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Switch# configure terminal	Enters global configuration mode.
Step 3	dot1x system-auth-control Example: Switch(config)# dot1x system-auth-control	(Optional) Enables IEEE 802.1x authentication globally on the switch. Enable IEEE 802.1x authentication if the authentication order includes the dot1x authentication method.
Step 4	interface type slot/port Example: Switch(config)# interface FastEthernet2/1	Enters interface configuration mode.
Step 5	switchport Example: Switch(config-if)# switchport	Places interface in Layer2-switched mode.
Step 6	switchport mode access Example: Switch(config-if)# switchport mode access	Sets a nontrunking, nontagged single VLAN Layer 2 interface.
Step 7	switchport access vlan vlan-id Example: Switch(config-if)# switchport access vlan 2	Sets the VLAN for the port.
Step 8	mab [eap] Example: Switch(config-if)# mab	(Optional) Enables MAB. Enable MAB if the authentication order includes the mab keyword (Step 11).
Step 9	authentication port-control {auto | force-authorized | fort unauthorized} Example: Switch(config-if)# authentication port-control auto	Configures the authorization state of the port.
Step 10	authentication fallback profile Example: Switch(config-if)# authentication fallback web-profile	(Optional) Enables web authentication. Enable web authentication if the authentication order includes the webauth keyword (Step 11).
Step 11	authentication order {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth} Example: Switch(config-if)# authentication order mab dot1x webauth	Configures the authentication order.
Step 12	dot1x pae authenticator Example: Switch(config)# dot1x pae authenticator	Enables the port to respond to messages meant for an IEEE 802.1x authenticator.
Step 13	end Example: Switch(config-if)# end	Returns to global configuration mode.

Troubleshooting Tips

The following commands can help troubleshoot the Flexible Authentication feature:

•debug authentication

•show authentication registrations

•show authentication sessions

•show dot1x

•show mab

Configuring Authentication Priority

Authentication priority is configured to control the fail over sequencing of methods on individual ports. Perform the steps described in this section to configure authentication priority.

Prerequisites

Before you configure authentication priority, you should configure authentication order as described in the "Configuring Authentication Order" section.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type slot/port

4. authentication priority {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth}

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Switch> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Switch# configure terminal	Enters global configuration mode.
Step 3	interface type slot/port Example: Switch(config)# interface FastEthernet2/1	Enters interface configuration mode.
Step 4	authentication priority {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth} Example: Switch(config-if)# authentication priotiry dot1x mab webauth	Configures authentication priority.
Step 5	end Example: Switch(config-if)# end	Returns to global configuration mode.

Configuration Examples for IEEE 802.1x—Flexible Authentication

This section provides the following configuration example:

Flexible Authentication: Example

Flexible Authentication: Example

The following example configures the port in multiple authentication host mode with the order of authentication to be 802.11x first, then MAB, and finally, web authentication.

enable

configure terminal

dot1x system-auth-control

aaa new-model

aaa authentication login default group radius

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa session-id common 

ip http server 

ip admission name webauth-rule proxy http

fallback profile webauth-profile

 ip access-group webauthlist in

 ip admission webauth-rule

interface GigabitEthernet2/1

 switchport

 switchport mode access

 switchport access vlan 125

 switchport voice vlan 127

 mab

 authentication port-control auto

 authentication fallback webauth-profile

 authentication host-mode multi-auth 

 authentication order dot1x mab webauth

 dot1x pae authenticator

Additional References

Related Documents

Related Topic	Document Title
Authentication commands	Cisco IOS Security Command Reference
Standalone MAB Support	Standalone MAB Support

MIBs

MIB	MIBs Link
•CISCO-AUTH-FRAMEWORK-MIB •CISCO-MAC-AUTH-BYPASS-MIB •CISCO-PAE-MIB •IEEE8021-PAE-MIB	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
RFC 3580	IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http://www.cisco.com/cisco/web/support/index.html

Feature Information for IEEE 802.1x—Flexible Authentication

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

---

Table 1 Feature Information for IEEE 802.1x—Flexible Authentication

Feature Name	Releases	Feature Information
IEEE 802.1x—Flexible Authentication	12.2(33)SXI	This feature provides a means of configuring ports with one or more authentication methods and specifying the order in which those authentication methods are attempted. The following commands were introduced or modified: authentication fallback, authentication host-mode, authentication order, authentication port-control, authentication priority, authentication timer restart, debug authentication, mab, show authentication interface, show authentication registrations, show authentication sessions, show mab. The following commands were removed or made obsolete: dot1x fallback, dot1x host-mode, dot1x port control.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2008-2011 Cisco Systems, Inc. All rights reserved.