The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IEEE 802.1X VLAN Assignment feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. This assignment configures the device port so that network access can be limited for certain users.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following tasks must be completed before implementing the IEEE 802.1X VLAN Assignment feature:
IEEE 802.1X must be enabled on the device port.
The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).
EAP support must be enabled on the RADIUS server.
You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http://support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1.
Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information.
The port must be successfully authenticated.
The IEEE 802.1X VLAN Assignment feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.
The following ISR-G2 routers are supported:
The following cards or modules support switch ports:
Enhanced High-speed WAN interface cards (EHWICs) with ACL support:
High-speed WAN interface cards (HWICs) without ACL support:
Note | Not all Cisco ISR routers support all the components listed. For information about module compatibility with a specific router platform, see Cisco EtherSwitch Modules Comparison. |
To determine whether your router has switch ports, use the show interfaces switchport command.
The IEEE 802.1X VLAN Assignment feature is available only on a switch port.
Note | An access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN. |
When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
The IEEE 802.1X authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
If the multihost mode is enabled on an IEEE 802.1X port, all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host.
If an IEEE 802.1X port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect.
This feature does not support standard ACLs on the switch port.
The AAA authorization feature is used to determine what a user can and cannot do. When AAA authorization is enabled, the network access server uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. Once this is done, the user is granted access to a requested service only if the information in the user profile allows it.
In Cisco IOS Release 12.4(11)T and later releases, the device ports support IEEE 802.1X authentication with VLAN assignment. After successful IEEE 802.1X authentication of a port, the RADIUS server sends the VLAN assignment to configure the device port.
The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the supplicant connected to the device port.
AAA authorization limits the services available to a user. When AAA authorization is enabled, the device uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa authorization network radius if-authenticated
5.
aaa authorization exec radius if-authenticated
6.
end
1.
enable
2.
configure
terminal
3.
aaa new-model
4.
aaa
authentication dot1x {default |
listname}
method1 [method2...]
5.
dot1x
system-auth-control
6.
identity profile
default
7.
interface
type
slot/port
8.
authentication port-control {auto |
force-authorized |
force-unauthorized}
9.
dot1x pae [supplicant |
authenticator |
both]
10.
end
11.
show
dot1x
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the device and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification.
Attribute [64] must contain the value “VLAN” (type 13). Attribute [65] must contain the value “802” (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1X-authenticated user.
The following example shows how to enable AAA Authorization for VLAN assignment:
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authorization network radius if-authenticated Device(config)# aaa authorization exec radius if-authenticated Device(config)# end
The following example shows how to enable 802.1X authentication on a device:
Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authentication dot1x default group radius group radius Device(config)# dot1x system-auth-control Device(config)# interface fastethernet 1 Device(config-if)# dot1x port-control auto
The following show dot1x command output shows that 802.1X authentication has been configured on a device:
Device# show dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Dot1x Info for FastEthernet1 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_HOST ReAuthentication = Enabled QuietPeriod = 600 ServerTimeout = 60 SuppTimeout = 30 ReAuthPeriod = 1800 (Locally configured) ReAuthMax = 2 MaxReq = 3 TxPeriod = 60 RateLimitPeriod = 60
This example shows how to specify an authorized VLAN in the RADIUS server by assigning vendor-specific tunnel attributes:
cisco-avpair= "tunnel-type(#64)=VLAN(13)" cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Standard/RFC | Title |
---|---|
IEEE 802.1X |
Port Based Network Access Control |
RFC 3580 |
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines |
MIB |
MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IEEE Information for IEEE 802.1X VLAN Assignment |
The IEEE 802.1X VLAN Assignment feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. This assignment configures the device port so that network access can be limited for certain users. |