Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

IEEE 802.1X authentication

Want to summarize with AI?

Log in

Outlines IEEE 802.1X authentication, including requirements, restrictions, open authentication approaches, and comprehensive configuration methods using SD-WAN Manager, CLI commands, switch port templates, and configuration groups.



IEEE 802.1X authentication

IEEE 802.1X is a port-based network access control (PNAC) protocol that

  • prevents unauthorized network devices from gaining access to wired networks, and

  • provides authentication for devices that want to connect to a wired network.

IEEE 802.1X open authentication and host modes

Any of the four host modes (single-host mode, multiple-host mode, multi-domain authentication mode, and multiauthentication mode) may be configured to allow a device to gain network access before authentication.

You can enable open authentication by entering the authentication open command after host mode configuration. This acts as an extension to the configured host mode. For example, if open authentication is enabled with single-host mode, then the port will allow only one MAC address. When preauthentication open access is enabled, initial traffic on the port is restricted and independent of 802.1X is configured on the port. If you don't configure any access restriction other than 802.1X on the port, then a client device will have a full access on the configured VLAN.

Note

You can configure open authentication using CLI template only. You cannot configure open authentication using dot1x feature template on SD-WAN Manager.

Note

From Cisco IOS XE Catalyst SD-WAN Release 17.2.1r, IEEE 802.1X is supported based on Identity-Based Networking Services (IBNS) 1.0 IOS-XE CLIs. This feature is supported on both LAN and WAN interfaces.


Restrictions for configuring IEEE 802.1X authentication

Authentication, Authorization, and Accounting

IEEE 802.1X Authentication, Authorization, and Accounting (AAA) is not supported on multiple groups.

Authentication order

Authentication order IEEE 802.1X MAB CLI cannot be disabled through SD-WAN Manager. The presence of this authentication order CLI results in a 60 second delay in MAB authentication when MAB client is online.

Open authentication

Authentication open is not supported in feature templates but can be deployed with a CLI add on template.


Prerequisites for configuring IEEE 802.1X authentication

Enable or configure these prerequisites before you configure IEEE 802.1X authentication with templates, CLI commands or configuration groups.

RADIUS

Enable RADIUS authentication servers to authenticate IEEE 802.1x services.

Configure RADIUS Accounting attributes.

Switch port

Enable IEEE 802.1X configuration on the switch port interface.

VLAN configurations

Enable these VLAN configurations to manage authenticated and unauthenticated clients:

  • Restricted VLAN (or authentication rejected VLAN)

  • Guest VLAN

  • Critical VLAN (or authentication failed VLAN)

  • Critical Voice VLAN

Enable IEEE 802.1X authentication event by VLAN ID in the Add-on template, if required.

Host-mode authentication

Enable one of these host-mode authentications:

  • Single-host mode

  • Multiple-host mode

  • Multiple-authentication mode

  • Multi-domain mode


Configure IEEE 802.1X Authentication using templates

IEEE 802.1X is a port-based network access control (PNAC) protocol that prevents unauthorized devices from accessing wired networks by authenticating devices that want to connect. Before any client can use network services, a RADIUS authentication server must authenticate each connected client. Use a Cisco AAA feature template to configure IEEE 802.1X authentication on the interface.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

2.

Click Feature Templates. Then, click Add Template.

Note

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.

3.

Select your device from the list on the left panel.

4.

Select the Cisco AAA template and enter the Template Name and Description.

5.

Select the RADIUS tab.

  1. Under RADIUS SERVER click New RADIUS Server and configure these parameters:

    Parameter Name Description

    Mark as Optional Row

    Check the Mark as Optional Row check box to mark your configuration as device-specific.

    Address

    Enter IP Address of the RADIUS server.

    Authentication Port

    Click Authentication, then click Add New Authentication Entry to configure RADIUS authentication attribute–value (AV) pairs to send to the RADIUS server during an IEEE 802.1X session.

    To save the entry, click Add.

    Accounting Port

    Click Accounting, then click Add New Accounting Entry to configure RADIUS accounting attribute–value (AV) pairs to send to the RADIUS server during an IEEE 802.1X session.

    To save the entry, click Add.

    Timeout

    Configure how long to wait for replies from the RADIUS server.

    Retransmit Count

    Configure how many times the system contacts this RADIUS server.

    Key

    Enter the RADIUS server shared key.

  2. Click Add.

6.

Select the RADIUS GROUP tab.

  1. Under New RADIUS Group configure these parameters:

    Parameter Name Description
    VPN-ID Enter the VPN through which the RADIUS or other authentication server is reachable.

    Source Interface

    Enter the interface that will be used to reach the RADIUS server.

    Radius Server

    Configure the Radius server.

  2. Click Add.

7.

Select the 802.1X tab and enter these parameters:

Parameter Name Description

Authentication Param

Click On to enable authentication parameters.

Accounting Param

Click On to enable accounting parameters.

8.

To save this feature template, click Save.

9.

To enable this feature on your device, ensure to add these feature templates to your device template.

Note

You need to recreate the AAA feature templates as the templates created prior to Cisco vManage Release 20.5.1 fails when attached to the device.

What to do next

Create a Switch Port template that can be used for the Switch Port device.


Create a Switch Port template using templates

Create a Switch Port template for the Switch Port device.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

2.

Click Feature Templates, and then click Add Template.

Note

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.

3.

Select your device from the list.

4.

Select the Switch Port template and enter the Template Name and Description.

5.

Select the Interface tab and click New Interface.

  1. Configure these parameters:

    Parameter Name Description

    Interface name

    Enter the interface name.

    Speed

    Enter the interface speed.

    VLAN Name

    Enter the VLAN name.

    VLAN ID

    Enter the VLAN identifier associated with the bridging domain.

    802.1X

    Enable IEEE 802.1X authentication on this interface. Select "On".

    This will provide a further set of parameters listed below.

    Interface PAE Type

    Enter the IEEE 802.1x Interface PAE type.

    Control Direction

    Enter unidirectional or bidirectional authorization mode.

    Host Mode

    Select whether an IEEE 802.1X interface grants access to a single host (client) or to multiple hosts (clients):

    • Multi Auth—Grant access to one host on a voice VLAN and multiple hosts on data VLANs.

    • Multi Host—Grant access to multiple hosts

    • Single Host—Grant access only to the first authenticated host. This is the default.

    • Multi-Domain—Grant access to both a host and a voice device, such as an IP phone on the same switch port.

    Note
    These options are available only in the 'Global' Host Mode settings.

    Periodic Reauthentication

    Enter how often to reauthenticate IEEE 802.1X clients. By default, no reauthentication attempts are made after the initial LAN access request.

    Range: 0 to 1440 minutes

  2. Click Advanced Options and configure these parameters:

    Parameter Name Description

    Authentication Order

    Enter the order of authentication methods to use when authenticating devices for connection to the IEEE 802.1X interface. The default authentication order is RADIUS, then MAC authentication bypass (MAB).

    MAC Authentication Bypass

    Select to enable MAC authentication bypass (MAB) on the RADIUS server and to authenticate non-IEEE 802.1X–compliant clients using a RADIUS server.

    Port Control Mode

    Enter the port control mode to enable IEEE 802.1X port-based authentication on the interface.

    Auto- Configure this to enable IEEE 802.1X authentication and start the port in unauthorized state. This allows only EAPOL frames to be sent and received through the port.

    Voice VLAN ID

    Configure the Voice VLAN ID.

    Critical VLAN

    Enter the critical VLAN (or authentication failed VLAN) for IEEE 802.1x-compliant clients. Configure network access when RADIUS authentication or the RADIUS server fails.

    Critical Voice VLAN

    Enable the critical voice VLAN.

    Guest VLAN

    Configure guest VLAN to drop non-IEEE 802.1X enabled clients, if the client is not in the MAB list.

    Restricted VLAN

    Enter the restricted VLAN (or authentication failed VLAN) for IEEE 802.1x-compliant clients. Configure limited services to IEEE 802.1X–compliant clients that failed RADIUS authentication.

  3. Click Add.

6.

To save this feature template, click Save.

7.

To enable this feature on your device, ensure to add these feature templates to your device template.


IEEE 802.1X Open Authentication using CLI commands

You can configure IEEE 802.1X Open Authentication using the CLI add-on template:

Device# config-transaction
Device(config)# interface GigabitEthernet2
Device(config-if)# authentication open

Configure IEEE 802.1X Authentication using CLI commands

For configuring IEEE 802.1x using CLI commands, two sets of configuration are required:

  • Global AAA commands

  • Interface level commands

Procedure

1.

Configure the Global AAA commands.

  1. Enable or disable IEEE 802.1X globally:

    Device(config)# aaa authentication dot1x default group radius-0
    Device(config)# aaa authorization network default group radius-0
    Device(config)# dot1x system-auth-control
    Device(config)# radius-server dead-criteria time 10 tries 3
    Device(config)# radius-server deadtime 15
  2. Enable accounting:

    Device(config)# aaa accounting dot1x default start-stop group radius-0
2.

Configure the interface level commands.

  1. Enable or disable IEEE 802.1X on port-basis:

    Device(config-if)# dot1x pae authenticator
    Device(config-if)# authentication port-control auto 
    
  2. Enable or disable MAB on port-basis and then select host-mode:

    Device(config-if)# mab
    Device(config-if)# authentication host-mode  <multi-auth | multi-domain | multi-host | single-host>
  3. Configure voice VLAN:

    Device(config-if)# switchport voice vlan <vlan-id>
  4. Select IEEE 802.1X control direction:

    Device(config-if)# authentication control-direction <both | in>
  5. Enable periodic re-authentication and corresponding re-authentication interval and inactivity timeout time:

    Device(config-if)# authentication periodic
    Device(config-if)# authentication timer reauthenticate <internal-in-sec>
    Device(config-if)# authentication timer inactivity <timeout-in-sec>
    
  6. Configure authentication orders on per-port basis:

    Device(config-if)# authentication order dot1x mab
  7. Specify the restricted VLAN and then specify the guest VLAN:

    Device(config-if)#  authentication event fail action authorize vlan <vlan-id>
    Device(config-if)# authentication event no-response action authorize vlan <vlan-id>
  8. Specify the critical VLAN:

    Device(config-if)# authentication event server dead action authorize vlan <vlan-id>
  9. Enable the critical voice VLAN feature:

    Device(config-if)# authentication event server dead action authorize voice

Configure Switch Port using a configuration group

Configure Switch Port settings using these steps.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

2.

Create and configure a Switch Port feature in a Service profile.

Table 1. Switch Port

Field

Description

Age Out Time

Enter how long an entry is in the MAC table before it ages out. Set the value to 0 to prevent entries from timing out.

Range: 0, 10 through 1000000 seconds

Default: 300 seconds

Configure Interface

Interface Name

Enter the name of the interface to associate with the bridging domain, in the format geslot/port.

Mode

Choose the switch port mode.

  • access: Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic only for one VLAN. When you choose access, the following field appears:

    Switchport Access Vlan: Enter the VLAN number, which can be a value from 1 through 4094.

  • trunk: Configure the interface as a trunk port. You can configure one or more VLANs on a trunk port, and the port can carry traffic for multiple VLANs. When you choose trunk, the following fields appear:

    • Allowed Vlans: Enter the number of the VLANs for which the trunk can carry traffic and a description for the VLAN.

    • Switchport Trunk Native Vlan: Enter the number of the VLAN allowed to carry untagged traffic.

Shutdown

Enable the interface. By default, an interface is disabled.

Speed

Enter the speed of the interface.

Duplex

Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode.

Port Control

Choose the port control mode to enable IEEE 802.1X port-based authentication on the interface.

  • auto: Enables IEEE 802.1X authentication and starts the port in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The device requests the identity of the supplicant and starts relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the device by using the supplicant MAC address.

  • force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The device cannot provide authentication services to the supplicant through the port.

  • force-authorized: Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client.

Voice VLAN

Enter the Voice VLAN ID.

Pae Enable

The Cisco Catalyst SD-WAN device acts as a port access entity (PAE), allowing authorized network traffic and preventing unauthorized network traffic ingressing to and egressing from the controlled port.

MAC Authentication Bypass

Enable this option to allow MAC authentication bypass (MAB) on the RADIUS server and to authenticate non-IEEE 802.1X–compliant clients using a RADIUS server.

Host Mode

Choose whether an IEEE 802.1X interface grants access to a single host (client) or to multiple hosts (clients).

  • single-host: Grant access only to the first authenticated host. This is the default.

  • multi-auth: Grant access to one host on a voice VLAN and multiple hosts on data VLANs.

  • multi-host: Grant access to multiple hosts.

  • multi-domain: Grant access to both a host and a voice device, such as an IP phone on the same switch port.

Enable Periodic Reauth

Enable periodic re-authentication. By default, this option is enabled.

Inactivity

Enter the inactivity timeout time in seconds.

Default: 60 seconds

Reauthentication

Enter the re-authentication interval in seconds.

Control Direction

Choose both (bidirectional) or in (unidirectional) authorization mode.

Restricted VLAN

Enter the restricted VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure limited services to IEEE 802.1X-compliant clients that failed RADIUS authentication.

Guest VLAN

Enter the guest VLAN to drop non-IEEE 802.1X enabled clients, if the client is not in the MAB list.

Critical VLAN

Enter the critical VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure network access when RADIUS authentication or the RADIUS server fails.

Enable Voice

Enable the critical voice VLAN.

Configure Static Mac Address

MAC Address

Enter the static MAC address to map to the switch port interface.

Interface Name

Enter the name of the switch port interface.

VLAN ID

Enter the number of the VLAN for the switch port.

What to do next

Also see Deploy a configuration group.