Home > Work With My Switches > Cisco Catalyst Switches > Set up IEEE 802.1x authentication on Catalyst Switches

Set up IEEE 802.1x authentication on Catalyst Switches

     Introduction
     Components
     IEEE 802.1x Overview
     Connect to the Switch
     Configure 802.1x authentication
     Configure Switch to RADIUS server Communication
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF

Introduction

This document provides instructions on how to configure IEEE 802.1x port based authentication on your Catalyst Switches. This procedure applies to 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3750 and 4500 series models of Cisco Catalyst switches.

Components

To perform the steps described in this document, you need these items:

You must have completed the initial configuration of the switch, if not refer to Configure a Catalyst Switch with Cisco Network Assistant.
A switch with Cisco IOS Software Release 12.1(8)E or later to support 802.1x port-based authentication.
A console cable. For more information about cables, refer to Cable Descriptions.
Terminal emulation software such as HyperTerminal.
Complete the Switch Port Assignment Worksheets as instructed in the Site Survey.

IEEE 802.1x Overview

This section provides an overview on IEEE 802.1x port based authentication which is a part of IEEE 802.1 group of networking protocols. IEEE 802.1x port-based authentication is used to prevent unauthorized devices (clients) from gaining access to the network. The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After the authentication is successful, the port state changes to authorized, the client is put in specified VLAN and normal traffic can pass through the port. If the authentication is unsuccessful it can be retried. If successive authentication attempts fail and the authentication process times out the switch checks if the MAC authentication bypass (supported from Cisco IOS Release 12.2(25)SEE and later) is enabled. If MAC authentication bypass is enabled, the switch uses the MAC address as the client identity and if MAC address is valid, the port is assigned to respective VLAN; otherwise the port remains in unauthorized state. If the client does not support 802.1 x authentication the port is placed in a specified guest VLAN. This guest VLAN can be used by the client to download and install the software for 802.1x support.

With 802.1x port-based authentication, the devices in the network have specific roles. The Client or Supplicant is the device that requests access to the LAN services. This Client must run any 802.1x compliant software such as the one offered in the Microsoft Windows XP operating system. The Switch or Authenticator acts like a security guard to a protected network and controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The Authentication server is the device that performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN. The authentication server supported is RADIUS security system with Extensible Authentication Protocol (EAP) extensions. It is available in Cisco Secure Access Control Server Version 3.0 or later. The authentication server is responsible to send the VLAN assignment to configure the switch port accordingly and is also responsible to have database of client MAC addresses that are allowed network access if MAC authentication bypass is enabled.

An IEEE 802.1x port can be configured for single-host or for multiple-hosts mode. In single-host mode, only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. Multiple-hosts mode is used when wireless devices connect to the network via an access point. Here, only the access point needs to be authenticated by the switch.

The IEEE 802.1x protocol is supported on Layer 2 static-access ports and is not supported on Trunk ports, Dynamic ports, EtherChannel ports, and Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports.

set_IEEE_802.1X_cat_swtch_01.gif

Connect to the Switch

Follow these steps to connect your PC to the switch for configuration:

Complete these steps:

Connect a PC to the switch with a console cable.
Create a HyperTerminal connection to your switch. For more information, refer to Create a HyperTerminal Connection.
Log into the switch with the login and password that you entered in fields B10 and B11 of the Switch Worksheet.
```
Username:admin
Password:
```
Note: If you do not know the password for your switch, refer to Manually Reset the Password on a Catalyst Switch.
Type enable and press Enter to access the privileged mode. Type the enable password that you entered in field S5 of the Switch Port Assignment Worksheet.
```
switch>enable
```

Configure 802.1x authentication

Follow these steps to configure 802.1x authentication on a Catalyst switch:

Enter the global configuration mode and give the command dot1x system-auth-control to enable 802.1x globally on your switch.
```
Switch#configure terminal
Switch(config)#dot1x system-auth-control
```
Enter the command aaa new-model to enable AAA on the switch. Enter the command aaa authentication dot1x default to create and 802.1x AAA default authentication list followed by the keyword group radius.
```
Switch(config)#aaa new-model
Switch(config)#aaa authentication dot1x default group radius
```
Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication using command interface followed by an interface on the switch and set the port to access mode only using command switchport mode access.
```
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport mode access
```
Enter the command dot1x port-control auto to enable 802.1x on the interface.
```
Switch(config-if)#dot1x port-control auto
```
Optionally to allow multiple hosts (clients) on this IEEE 802.1x port enter the command dot1x host-mode multi-host.
```
Switch(config-if)#dot1x host-mode multi-host
```
Optionally to configure MAC authentication bypass enter the command dot1x mac-auth-bypass (supported from Cisco IOS Release 12.2(25)SEE and later).
```
Switch(config-if)#dot1x mac-auth-bypass
```
Optionally to configure guest VLAN feature on this port enter the command dot1x guest-vlan followed by a vlan-id.
```
Switch(config-if)#dot1x guest-vlan 23
```
Repeat the steps from step 3 to step 7 for all the interfaces which needs to be configured for 802.1x authentication.

Configure Switch to RADIUS server Communication

Follow these steps to configure communication with the RADIUS server:

Enter the global configuration mode and give the command radius-server host followed by a hostname or IP address. Optionally, use the auth-port parameter and specify the port number if the RADIUS server is not using the default port 1812. Also, use the optional key parameter followed by a string to specify the authentication and encryption key used between the switch and the RADIUS server. This example specifies the host with IP address "192.168.1.2" as the RADIUS server, uses ports "1812" as the authentication port, and sets "radiuskey" as the encryption key, matching the key on the RADIUS server.
```
Switch#configure terminal
Switch(config)#radius-server host 192.168.1.2 auth-port 1812 key radiuskey
```
Type end to come out of configuration mode and enter the command copy running-config startup-config to save this configuration.
```
Switch(config-if)#end
Switch#copy running-config startup-config
```

Next Step

You have now set up 802.1x authentication on your network.

To make further changes to your switch, refer to the Switch Support Page.

To make further changes to your network, refer to the Configuration Overview page.

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

Check if 802.1x is configured properly on your device.

Enter the command show dot1x and check the output for Sysauthcontrol state to be enabled.

Switch#show dot1x
Sysauthcontrol              Enabled
Dot1x Protocol Version            2
Critical Recovery Delay         100
Critical EAPOL             Disabled