-
Catalyst 3750 Metro Switch Software Configuration Guide, 12.2(52)SE
-
Index
-
Preface
-
Overview
-
Using the Command-Line Interface
-
Assigning the Switch IP Address and Default Gateway
-
Configuring Cisco IOS Configuration Engine
-
Administering the Switch
-
Configuring SDM Templates
-
Configuring Switch-Based Authentication
-
Configuring IEEE 802.1x Port-Based Authentication
-
Configuring Interface Characteristics
-
Configuring Smartports Macros
-
Configuring VLANs
-
Configuring VTP
-
Configuring Private VLANs
-
Configuring Voice VLAN
-
Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
-
Configuring STP
-
Configuring MSTP
-
Configuring Optional Spanning-Tree Features
-
Configuring Resilient Ethernet Protocol
-
Configuring Flex Links and the MAC Address-Table Move Update Feature
-
Configuring DHCP Features and IP Source Guard
-
Configuring Dynamic ARP Inspection
-
Configuring IGMP Snooping and MVR
-
Configuring Port-Based Traffic Control
-
Configuring CDP
-
Configuring LLDP and LLDP-MED
-
Configuring UDLD
-
Configuring SPAN and RSPAN
-
Configuring RMON
-
Configuring System Message Logging
-
Configuring SNMP
-
Configuring Embedded Event Manager
-
Configuring Network Security with ACLs
-
Configuring QoS
-
Configuring EtherChannels and Link State Tracking
-
Configuring IP Unicast Routing
-
Configuring IPv6 Unicast Routing
-
Configuring IPv6 MLD Snooping
-
Configuring IPv6 ACLs
-
Configuring HSRP
-
Configuring Cisco IOS IP SLAs Operations
-
Configuring Enhanced Object Tracking
-
Configuring Ethernet CFM, E-LMI, and OAM
-
Configuring MPLS, MPLS OAM, MPLS VPN, and EoMPLS
-
Configuring IP Multicast Routing
-
Configuring MSDP
-
Configuring Fallback Bridging
-
Troubleshooting
-
Supported MIBs
-
Working with the Cisco IOS File System, Configuration Files, and Software Images
-
Unsupported Commands in Cisco IOS Release 12.2(52)SE
-
Feedback
Table Of Contents
Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Authentication Initiation and Message Exchange
Ports in Authorized and Unauthorized States
802.1x User Distribution Configuration Guidelines
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)
Configuring IEEE 802.1x Authentication
802.1x Configuration Guidelines
Maximum Number of Allowed Devices Per Port
Configuring 802.1x Readiness Check
Configuring IEEE 802.1x Violation Modes
Configuring IEEE 802.1x Authentication
Configuring the Switch-to-RADIUS-Server Communication
Configuring Periodic Re-Authentication
Manually Re-Authenticating a Client Connected to a Port
Changing the Switch-to-Client Retransmission Time
Setting the Switch-to-Client Frame-Retransmission Number
Setting the Re-Authentication Number
Resetting the 802.1x Configuration to the Default Values
Configuring 802.1x User Distribution
Configuring an Authenticator and a Supplicant Switch with NEAT
Displaying 802.1x Statistics and Status
Configuring IEEE 802.1x Port-Based Authentication
This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750 Metro switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments, IEEE 802.1x prevents unauthorized devices (clients) from gaining access to the network.
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Note
Some IEEE 802.1x (dot1x) commands are visible on the switch but are not supported. For a list of unsupported commands see Appendix C, "Unsupported Commands in Cisco IOS Release12.2(52)SE."
This chapter consists of these sections:
•
•
•
Understanding IEEE 802.1x Port-Based Authentication
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
These sections describe IEEE 802.1x port-based authentication:
•
•
•
Device Roles
With IEEE 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 8-1.
Figure 8-1 IEEE 802.1x Device Roles
•
Note
•
•
When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
The devices that can act as intermediaries include the Catalyst 3750, Catalyst 3550, Catalyst 2970, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x.
Authentication Initiation and Message Exchange
The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when the port link state transitions from down to up. It then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). Upon receipt of the frame, the client responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity.
Note
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized. For more information, see the "Ports in Authorized and Unauthorized States" section.
The specific exchange of EAP frames depends on the authentication method being used. Figure 8-2 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 8-2 Message Exchange
Ports in Authorized and Unauthorized States
Depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for IEEE 802.1x, CDP, and STP protocol packets. When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally.
If a client that does not support IEEE 802.1x is connected to an unauthorized IEEE 802.1x port, the switch requests the client's identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.
In contrast, when an IEEE 802.1x-enabled client connects to a port that is not running the IEEE 802.1x protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:
•
•
•
If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
802.1x Accounting
The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports:
•
•
•
•
•
The switch does not log IEEE 802.1x accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.
Supported Topologies
The IEEE 802.1x port-based authentication is supported in two topologies:
•
•
In a point-to-point configuration (see Figure 8-1), only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Figure 8-3 shows IEEE 802.1x port-based authentication in a wireless LAN. The IEEE 802.1x port is configured as a multiple-hosts port that becomes authorized as soon as one client is authenticated. When the port is authorized, all other hosts indirectly attached to the port are granted access to the network. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies access to the network to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and the wireless access point acts as a client to the switch.
Figure 8-3 Wireless LAN Example
802.1x Readiness Check
The 802.1x readiness check monitors IEEE 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support IEEE 802.1x. You can use this feature to determine if the devices connected to the switch ports are IEEE 802.1x-capable. You use an alternate authentication for the devices that do not support IEEE 802.1x functionality.
This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification packet. The client must respond within the IEEE 802.1x timeout value.
For information on configuring the switch for the 802.1x readiness check, see the "Configuring 802.1x Readiness Check" section.
802.1x with Port Security
You can configure IEEE 802.1x port and port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an IEEE 802.1x port.
These are some examples of the interaction between IEEE 802.1x and port security on the switch:
•
When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but the port security table is full. This can happen if the maximum number of secure hosts has been statically configured or if the client ages out of the secure host table. If the client address is aged, its place in the secure host table can be taken by another host.
If the security violation is caused by the first authenticated host, the port becomes error-disabled and immediately shuts down.
The port security violation modes determine the action for security violations. For more information, see the "Security Violations" section on page 24-10.
•
•
•
•
•
For more information about enabling port security on your switch, see the "Configuring Port Security" section on page 24-8.
802.1x with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This configuration allows voice traffic and data traffic to be separated onto different VLANs. The IP phone uses the VVID for its voice traffic regardless of the authorized or unauthorized state of the port. This allows the phone to work independently of IEEE 802.1x authentication.
When you enable the single-host mode, multiple IP phones are allowed on the VVID; only one IEEE 802.1x client is allowed on the PVID. When you enable the multiple-hosts mode and when an IEEE 802.1x user is authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after IEEE 802.1x authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see the Chapter 14, "Configuring Voice VLAN."
802.1x with VLAN Assignment
The switch supports IEEE 802.1x with VLAN assignment. After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, which assigns the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users.
When configured on the switch and the RADIUS server, IEEE 802.1x with VLAN assignment has these characteristics:
•
•
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a nonexistent or internal (routed port) VLAN ID, or an attempted assignment to a voice VLAN ID.
•
•
•
•
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into the configured access VLAN.
If an IEEE 802.1x port is authenticated and put in the RADIUS server assigned VLAN, any change to the port access VLAN configuration does not take effect.
The IEEE 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
•
•
–
–
–
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user.
For examples of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section on page 7-28.
802.1x with Guest VLAN
You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients (for example, how to download the IEEE 802.1x client). These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When the authentication server does not receive a response to its EAP request/identity frame, clients that are not IEEE 802.1x-capable are put into the guest VLAN for the port, if one is configured. However, the server does not grant IEEE 802.1x-capable clients that fail authentication access to the network.
The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant, and the interface does not transition to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, it is transitioned to the guest VLAN state.
If the switch is trying to authorize an IEEE 802.1x-capable voice device and the AAA server is unavailable, the authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the AAA server becomes available, the switch authorizes the voice device. However, the switch no longer allows other devices access to the guest VLAN. To prevent this situation, use one of these command sequences:
•
•
Note
Any number of hosts are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable host joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
For more information, see the "Configuring a Guest VLAN" section.
802.1x with Restricted VLAN
You can configure a restricted VLAN (sometimes called an authentication failed VLAN) for each IEEE 802.1x port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients are IEEE 802.1x-compliant and cannot access another VLAN because they fail the authentication process. A restricted VLAN allows users without valid credentials on an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the restricted VLAN.
Note
Without this feature, the client indefinitely attempts and fails authentication and the switch port remains in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured maximum authentication attempts, the port moves to the restricted VLAN. The failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt counter resets.
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to start the authentication process again is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event.
After a port moves to the restricted VLAN, it sends a simulated EAP success message to the client instead of an EAP failure message. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success.
Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
This feature works with port security. As soon as the port is authorized, a MAC address is provided to port security. If port security does not permit the MAC address or if the maximum secure address count is reached, the port becomes unauthorized and error-disabled.
Other port security features such as Dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN.
802.1x with Per-User ACLs
You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port.
You can configure router ACLs and input port ACLs. However, a port ACL takes precedence over a router ACL. If you apply input port ACL to a port that belongs to a VLAN, the port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see Chapter 33, "Configuring Network Security with ACLs."
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Only one IEEE 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters.
For examples of vendor-specific attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section on page 7-28. For more information about configuring ACLs, see Chapter 33, "Configuring Network Security with ACLs."
To configure per-user ACLs, you need to perform these tasks:
•
•
•
•
•
Note
802.1x User Distribution
You can configure 802.1x user distribution to load-balance users with the same group name across multiple different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN group name.
•
•
Note
802.1x User Distribution Configuration Guidelines
•
•
•
•
•
•
For more information, see the "Configuring 802.1x User Distribution" section.
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such as conference rooms). This allows any type of device to authenticate on the port.
•
Once the supplicant switch authenticates successfully the port mode changes from access to trunk.
•
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.
•
•
Figure 8-4 Authenticator and Supplicant Switch using CISP
Workstations (clients)
Supplicant switch (outside wiring closet)
Authenticator switch
Access control server (ACS)
Trunk port
Guidelines
•
•
•
For more information, see the "Configuring an Authenticator and a Supplicant Switch with NEAT" section.
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter which authentication method is used. This ID is used for all reporting purposes, such as the show commands and MIBs. The session ID appears with all per-session syslog messages.
The session ID includes:
•
•
•
This example shows how the session ID appears in the output of the show authentication command. The session ID in this example is 160000050000000B288508E5:
Switch# show authentication sessionsInterface MAC Address Method Domain Status Session IDFa4/0/4 0000.0000.0203 mab DATA Authz Success 160000050000000B288508E5This is an example of how the session ID appears in the syslog output. The session ID in this example is also160000050000000B288508E5:
1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0203) on Interface Fa4/0/4AuditSessionID 160000050000000B288508E51w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0000.0203) on InterfaceFa4/0/4 AuditSessionID 160000050000000B288508E51w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client(0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the client. The ID appears automatically. No configuration is required.
Configuring IEEE 802.1x Authentication
These sections describe how to configure IEEE 802.1x port-based authentication on your switch:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Default 802.1x Configuration
Table 8-1 shows the default IEEE 802.1x configuration.
802.1x Configuration Guidelines
These are the IEEE 802.1x authentication configuration guidelines:
•
•
–
–
–
–
Note
–
•
•
•
•
•
Maximum Number of Allowed Devices Per Port
This is the maximum number of devices allowed on an IEEE 802.1x-enabled port:
•
•
•
Configuring 802.1x Readiness Check
The 802.1x readiness check monitors IEEE 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support IEEE 802.1x. You can use this feature to determine if the devices connected to the switch ports are IEEE 802.1x-capable.
The 802.1x readiness check is allowed on all ports that can be configured for IEEE 802.1x. The readiness check is not available on a port that is configured as dot1x force-unauthorized.
Follow these guidelines to enable the readiness check on the switch:
•
•
•
•
Beginning in privileged EXEC mode, follow these steps to enable the IEEE 802.1x readiness check on the switch:
This example shows how to enable a readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/0/13DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capableConfiguring IEEE 802.1x Violation Modes
You can configure an IEEE 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when:
•
•
Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch:
Configuring IEEE 802.1x Authentication
To configure IEEE 802.1x port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle, the authentication process stops, and no other authentication methods are attempted.
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.
Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based authentication. This procedure is required.
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication dot1x {default} method1 [method2...]
Create an IEEE 802.1x authentication method list.
To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Enter at least one of these keywords:
•
•
Step 4
dot1x system-auth-control
Enable IEEE 802.1x authentication globally on the switch.
Step 5
aaa authorization network {default} group radius
(Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment.
Note
Step 6
interface interface-id
Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.
Step 7
dot1x port-control auto
Enable IEEE 802.1x authentication on the port.
For feature interaction information, see the "802.1x Configuration Guidelines" section.
Step 8
end
Return to privileged EXEC mode.
Step 9
show dot1x
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable AAA, use the no aaa new-model global configuration command. To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default | list-name} global configuration command. To disable 802.1x AAA authorization, use the no aaa authorization global configuration command. To disable 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command.
This example shows how to enable AAA and 802.1x on a port:
Switch# configure terminalSwitch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radiusSwitch(config)# dot1x system-auth-controlSwitch(config)# interface fastethernet1/0/1Switch(config)# switchport mode accessSwitch(config-if)# dot1x port-control autoSwitch(config-if)# endConfiguring the Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were configured.
Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server:
Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. For more information, see the "Configuring Settings for All RADIUS Servers" section on page 7-28.
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Configuring Periodic Re-Authentication
You can enable periodic 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between re-authentication attempts is 3600.
Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. This procedure is optional.
To disable periodic re-authentication, use the no dot1x reauthentication interface configuration command.To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout reauth-period interface configuration command.
This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000:
Switch(config-if)# dot1x reauthenticationSwitch(config-if)# dot1x timeout reauth-period 4000Manually Re-Authenticating a Client Connected to a Port
You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. This step is optional. If you want to enable or disable periodic re-authentication, see the "Configuring Periodic Re-Authentication" section.
This example shows how to manually re-authenticate the client connected to a port:
Switch# dot1x re-authenticate interface fastethernet1/0/1Changing the Quiet Period
When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default.
Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional.
To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command.
This example shows how to set the quiet time on the switch to 30 seconds:
Switch(config-if)# dot1x timeout quiet-period 30Changing the Switch-to-Client Retransmission Time
The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Note
Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional.
To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request:
Switch(config-if)# dot1x timeout tx-period 60Setting the Switch-to-Client Frame-Retransmission Number
In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Note
Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number. This procedure is optional.
To return to the default retransmission number, use the no dot1x max-req interface configuration command.
This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process:
Switch(config-if)# dot1x max-req 5Setting the Re-Authentication Number
You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state.
Note
Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional.
To return to the default re-authentication number, use the no dot1x max-reauth-req interface configuration command.
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:
Switch(config-if)# dot1x max-reauth-req 4Configuring the Host Mode
You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode, only one host is allowed on an 802.1x port. When the host is authenticated, the port is placed in the authorized state. When the host leaves the port, the port becomes unauthorized. Packets from hosts other than the authenticated one are dropped.
You can attach multiple hosts to a single 802.1x-enabled port as shown in Figure 8-3. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), all attached clients are denied access to the network.
With the multiple-hosts mode enabled, you can use 802.1x to authenticate the port and port security to manage network access for all MAC addresses, including that of the client.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. This procedure is optional.
Enter the dot1x host-mode single-host interface configuration command to set the interface to allow a single host on the port.
Note
To disable multiple hosts on the port, use the no dot1x host-mode multi-host interface configuration command.
This example shows how to enable 802.1x on a port and to allow multiple hosts:
Switch(config)# interface fastethernet1/0/1Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x host-mode multi-hostConfiguring a Guest VLAN
When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.
Beginning in privileged EXEC mode, follow these steps to configure a guest VLAN. This procedure is optional.
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the "802.1x Configuration Guidelines" section.
Step 3
dot1x guest-vlan vlan-id
Specify an active VLAN as an 802.1x guest VLAN. The range is 1 to 4094.
You can configure any active VLAN except an internal VLANs (routed port), an RSPAN VLAN, or a voice VLAN as an 802.1x guest VLAN.
Step 4
end
Return to privileged EXEC mode.
Step 5
show dot1x interface interface-id
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. If the port is currently authorized in the guest VLAN, the port returns to the unauthorized state.
This example shows how to enable VLAN 2 as an 802.1x guest VLAN on a port:
Switch(config)# interface gigabitethernet1/0/2Switch(config-if)# dot1x guest-vlan 2Configuring a Restricted VLAN
When you configure a restricted VLAN on a switch, clients that are IEEE 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode.
Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional.
To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state.
This example shows how to enable VLAN 2 as an 802.1x restricted VLAN:
Switch(config)# interface gigabitethernet0/2Switch(config-if)# dot1x auth-fail vlan 2Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.
Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional.
To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command.
This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN:
Switch(config-if)# dot1x auth-fail max-attemptsResetting the 802.1x Configuration to the Default Values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration to the default values. This procedure is optional.
Configuring 802.1x Accounting
Enabling AAA system accounting with 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active 802.1x sessions are closed.
Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, this system message appears:
Accounting message %s for session %s failed to receive Accounting Response.When the stop message is not sent successfully, this message appears:
00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding.
Note
Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional.
Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message.
This example shows how to configure 802.1x accounting. The first command configures the RADIUS server, specifying 1813 as the UDP port for accounting:
Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123Switch(config)# aaa accounting dot1x default start-stop group radiusSwitch(config)# aaa accounting system default start-stop group radiusConfiguring 802.1x User Distribution
Beginning in global configuration, follow these steps to configure a VLAN group and to map a VLAN to it:
This example shows how to configure the VLAN groups, to map the VLANs to the groups, to and verify the VLAN group configurations and mapping to the specified VLANs:
switch(config)# vlan group eng-dept vlan-list 10switch(config)# show vlan group group-name eng-deptGroup Name Vlans Mapped------------- --------------eng-dept 10switch# show dot1x vlan-group allGroup Name Vlans Mapped------------- --------------eng-dept 10hr-dept 20This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added:
switch(config)# vlan group eng-dept vlan-list 30switch(config)# show vlan group eng-deptGroup Name Vlans Mapped------------- --------------eng-dept 10,30This example shows how to remove a VLAN from a VLAN group:
switch# no vlan group eng-dept vlan-list 10This example shows that when all the VLANs are cleared from a VLAN group, the VLAN group is cleared:
switch(config)# no vlan group eng-dept vlan-list 30Vlan 30 is successfully cleared from vlan group eng-dept.switch(config)# show vlan group group-name eng-deptThis example shows how to clear all the VLAN groups:
switch(config)# no vlan group end-dept vlan-list allswitch(config)# show vlan-group allFor more information about these commands, see the Cisco IOS Security Command Reference.
Configuring an Authenticator and a Supplicant Switch with NEAT
Configuring this feature requires that one switch outside a wiring closet is configured as a supplicant and is connected to an authenticator switch.
For overview information, see the "802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)" section.
Note
Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:
This example shows how to configure a switch as an 802.1x authenticator:
Switch# configure terminalSwitch(config)# cisp enableSwitch(config)# interface gigabitethernet2/0/1Switch(config-if)# switchport mode accessSwitch(config-if)# authentication port-control autoSwitch(config-if)# dot1x pae authenticatorSwitch(config-if)# spanning-tree portfast trunkBeginning in privileged EXEC mode, follow these steps to configure a switch as a supplicant:
This example shows how to configure a switch as a supplicant:
Switch# configure terminalSwitch(config)# cisp enableSwitch(config)# dot1x credentials testSwitch(config)# username suppswitchSwitch(config)# password myswitchSwitch(config)# dot1x supplicant force-multicastSwitch(config)# interface gigabitethernet1/0/1Switch(config-if)# switchport trunk encapsulation dot1qSwitch(config-if)# switchport mode trunkSwitch(config-if)# dot1x pae supplicant
Switch(config-if)# dot1x credentials test
Switch(config-if)# endConfiguring NEAT with ASP
You can also use an AutoSmart Ports user-defined macro instead of the switch VSA to configure the authenticator switch. For more information, see the Chapter 10, "Configuring Smartports Macros."
Displaying 802.1x Statistics and Status
To display 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command.
To display the 802.1x administrative and operational status for the switch, use the show dot1x all privileged EXEC command. To display the 802.1x administrative and operational status for a specific port, use the show dot1x interface interface-id privileged EXEC command.
For detailed information about the fields in these displays, see the command reference for this release.
