Outlines IEEE 802.1X authentication, including requirements, restrictions, open authentication approaches, and comprehensive configuration methods using SD-WAN Manager, CLI commands, switch port templates, and configuration groups.
IEEE 802.1X authentication
IEEE 802.1X is a port-based network access control (PNAC) protocol that
-
prevents unauthorized network devices from gaining access to wired networks, and
-
provides authentication for devices that want to connect to a wired network.
IEEE 802.1X open authentication and host modes
Any of the four host modes (single-host mode, multiple-host mode, multi-domain authentication mode, and multiauthentication mode) may be configured to allow a device to gain network access before authentication.
You can enable open authentication by entering the authentication open command after host mode configuration. This acts as an extension to the configured host mode. For example, if open authentication is enabled with single-host mode, then the port will allow only one MAC address. When preauthentication open access is enabled, initial traffic on the port is restricted and independent of 802.1X is configured on the port. If you don't configure any access restriction other than 802.1X on the port, then a client device will have a full access on the configured VLAN.
You can configure open authentication using CLI template only. You cannot configure open authentication using dot1x feature template on SD-WAN Manager.
From Cisco IOS XE Catalyst SD-WAN Release 17.2.1r, IEEE 802.1X is supported based on Identity-Based Networking Services (IBNS) 1.0 IOS-XE CLIs. This feature is supported on both LAN and WAN interfaces.
Restrictions for configuring IEEE 802.1X authentication
Authentication, Authorization, and Accounting
IEEE 802.1X Authentication, Authorization, and Accounting (AAA) is not supported on multiple groups.
Authentication order
Authentication order IEEE 802.1X MAB CLI cannot be disabled through SD-WAN Manager. The presence of this authentication order CLI results in a 60 second delay in MAB authentication when MAB client is online.
Open authentication
Authentication open is not supported in feature templates but can be deployed with a CLI add on template.
Prerequisites for configuring IEEE 802.1X authentication
RADIUS
Enable RADIUS authentication servers to authenticate IEEE 802.1x services.
Configure RADIUS Accounting attributes.
Switch port
Enable IEEE 802.1X configuration on the switch port interface.
VLAN configurations
Enable these VLAN configurations to manage authenticated and unauthenticated clients:
-
Restricted VLAN (or authentication rejected VLAN)
-
Guest VLAN
-
Critical VLAN (or authentication failed VLAN)
-
Critical Voice VLAN
Enable IEEE 802.1X authentication event by VLAN ID in the Add-on template, if required.
Host-mode authentication
Enable one of these host-mode authentications:
-
Single-host mode
-
Multiple-host mode
-
Multiple-authentication mode
-
Multi-domain mode
Configure IEEE 802.1X Authentication using templates
IEEE 802.1X is a port-based network access control (PNAC) protocol that prevents unauthorized devices from accessing wired networks by authenticating devices that want to connect. Before any client can use network services, a RADIUS authentication server must authenticate each connected client. Use a Cisco AAA feature template to configure IEEE 802.1X authentication on the interface.
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose Configuration > Templates. |
|||||||
| 2. | Click Feature Templates. Then, click Add Template.
|
|||||||
| 3. | Select your device from the list on the left panel. |
|||||||
| 4. | Select the Cisco AAA template and enter the Template Name and Description. |
|||||||
| 5. | Select the RADIUS tab. |
|||||||
| 6. | Select the RADIUS GROUP tab. |
|||||||
| 7. | Select the 802.1X tab and enter these parameters:
|
|||||||
| 8. | To save this feature template, click Save. |
|||||||
| 9. | To enable this feature on your device, ensure to add these feature templates to your device template.
|
What to do next
Create a Switch Port template that can be used for the Switch Port device.
Create a Switch Port template using templates
Create a Switch Port template for the Switch Port device.
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose Configuration > Templates. |
|
| 2. | Click Feature Templates, and then click Add Template.
|
|
| 3. | Select your device from the list. |
|
| 4. | Select the Switch Port template and enter the Template Name and Description. |
|
| 5. | Select the Interface tab and click New Interface. |
|
| 6. | To save this feature template, click Save. |
|
| 7. | To enable this feature on your device, ensure to add these feature templates to your device template. |
IEEE 802.1X Open Authentication using CLI commands
You can configure IEEE 802.1X Open Authentication using the CLI add-on template:
Device# config-transaction
Device(config)# interface GigabitEthernet2
Device(config-if)# authentication open
Configure IEEE 802.1X Authentication using CLI commands
For configuring IEEE 802.1x using CLI commands, two sets of configuration are required:
-
Global AAA commands
-
Interface level commands
Procedure
| 1. | Configure the Global AAA commands. |
|
| 2. | Configure the interface level commands. |
Configure Switch Port using a configuration group
Configure Switch Port settings using these steps.
Before you begin
On the page, choose SD-WAN as the solution type.
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|||||||||||||||||||||||||||||||||||||||||||||||||||
| 2. | Create and configure a Switch Port feature in a Service profile.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
What to do next
Also see Deploy a configuration group.