Protect Network using IEEE 802.1X Port-Based Authentication
The IEEE 802.1X port-based authentication protects the network from unauthorized clients. It blocks all traffic to and from
devices at the interface, until the Authentication server authenticates the client. After successful authentication, the port
is open for traffic.
This chapter describes how to configure IEEE 802.1X port-based authentication in Cisco NCS 5500 Series Routers to prevent unauthorized devices (clients) from gaining access to the network.
Restrictions for IEEE 802.1X Port-Based Authentication
The following restrictions are applicable for IEEE 802.1X port-based authentication:
802.1X multi-host and 802.1X multi-auth are not supported.
802.1X VLAN assignment is not supported.
Walled-garden VLAN and policies on authentication failures are not supported.
Subinterfaces and VLAN-tagged traffic are not supported on the ports on which 802.1X port-based authentication is configured.
IEEE 802.1X Device Roles
The devices in the network have the following specific roles with IEEE 802.1X authentication:
Authenticator - An entity that facilitates authentication of other entities attached to the same LAN.
Supplicant - An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an Authenticator attached to the
other end of that link.
Authentication Server - An entity that provides an authentication service to an Authenticator. Based on the credentials provided by the Supplicant,
the server determines whether the Supplicant is authorized to access the services provided by the system in which the Authenticator
Understanding 802.1X Port-Based Authentication
IEEE 802.1X port-based authentication is configured on Cisco NCS 5500 Series Router to prevent unauthorized routers (supplicants) from gaining access to the network. An authentication server validates the
supplicant that is connected to an authenticator port, before the services offered by the client or the network is made available
to the supplicant.
Until the supplicant is authenticated, the port is in Unauthorized state, and 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) packets through the port.
EAPoL frames can have either default EtherType of 0x888E or Cisco-defined EtherType of 0x876F. After successful authentication
of the supplicant, the port transitions to Authorized state, and normal traffic passes through the port for the authenticated client.
Periodic reauthentication can be enabled to use either the port-configured value or from authentication server. The authentication
server communicates the reauthentication-timer value in Session-Timeout attribute, with the final RADIUS Access-Accept message.
On 802.1X reauthentication failure, the port is blocked and moved back to the Unauthorized state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the Unauthorized state.
The following figure shows the topology for IEEE 802.1X port-based authentication:
Configure 802.1X Port-Based Authentication
To configure 802.1X port-based authentication, perform the following tasks:
Configure RADIUS server
Configure 802.1X authentication method
Create a 802.1X profile
Apply 802.1X profile on an interface
Configure RADIUS Server
To configure RADIUS server pre-shared keys, obtain the pre-shared key values for the remote RADIUS server and perform this
Router# show run interface HundredGigE0/0/1/0
interface HundredGigE 0/0/1/0
dot1x profile test_prof
Verify 802.1X Port-Based Authentication
The 802.1X authentication can be verified using the following:
Show command outputs
Show Command Outputs
The show dot1x interface command verifies whether the 802.1X port-based authentication is successful or not. If the authentication is successful,
the traffic is allowed on the configured interface.
Router# show dot1x interface HundredGigE 0/0/1/0 detail
Dot1x info for HundredGigE 0/0/1/0
Interface short name : Hu 0/0/1/0
Interface handle : 0x4080
Interface MAC : 021a.9eeb.6a59
Ethertype : 888E
PAE : Authenticator
Dot1x Port Status : AUTHORIZED
Dot1x Profile : test_prof
L2 Transport : FALSE
Port Control : Enabled
Config Dependency : Resolved
Eap profile : None
ReAuth : Disabled
Supplicant : 027e.15f2.cae7
Programming Status : Add SuccessAuth SM State : Authenticated
Auth Bend SM State : Idle
Last authen time : 2018 Dec 11 17:00:30.912
Last authen server : 10.77.132.66
Time to next reauth : 0 day(s), 00:51:39
Dot1x Tie Break Role : NA (Only applicable for PAE role both)
EAP Based Macsec : Disabled
MKA Start time : NA
MKA Stop time : NA
MKA Response time : NA
When 802.1x configuration is applied on an interface, the port becomes 802.1X controlled, and the following syslog message
%L2-DOT1X-5-PORT_CONTROL_ENABLE_SUCCESS : Hu0/0/1/0 : Port Control Enabled
After successful authentication of supplicant, the following syslog messages are displayed:
%L2-DOT1X-5-AUTH_SUCCESS : Hu0/0/1/0 : Authentication successful for client 027E.15F2.CAE7
%L2-DOT1X-5-PORT_CONTROL_ADD_CLIENT_SUCCESS : Hu0/0/1/0 : Port Access Enabled For Client 027E.15F2.CAE7
When 802.1X port-based configuration is removed from an interface, the following syslog message is displayed:
%L2-DOT1X-5-PORT_CONTROL_DISABLE_SUCCESS : Hu0/0/1/0 : Port Control Disabled
When authentication fails, the following syslog messages are displayed:
%L2-DOT1X-5-AUTH_FAIL : Hu0/0/1/0 : Authentication fail for client 027E.15F2.CAE7
%L2-DOT1X-5-PORT_CONTROL_REMOVE_CLIENT_SUCCESS : Hu0/0/1/0 : Port Access Disabled For Client 027E.15F2.CAE7
When authentication server is unreachable, the following syslog message is displayed:
%L2-DOT1X-5-AAA_UNREACHABLE : Hu0/0/1/0 : AAA server unreachable for client 027E.15F2.CAE7 , Retrying Authentication
When authentication method is not configured, the following syslog message is displayed:
%L2-DOT1X-4-NO_AUTHENTICATION_METHOD : Hu0/0/1/0 : No authentication method configured