802.1x Support

802.1X authentication

IEEE 802.1X port-based authentication is a network security protocol that

  • prevents unauthorized devices from accessing the network

  • utilizes EAP authentication models to ensure secure communication, and

  • integrates with devices like routers, switches, and access points based on configuration.

Feature history

Table 1. Feature history for 802.1X authentication

Feature name

Release information

Feature description

802.1X authentication

Cisco IOS XE 16.9.1

IEEE 802.1X port-based authentication is a network security protocol that utilizes EAP authentication models to ensure secure communication, and integrates with devices like routers, switches, and access points based on configuration.

Access ports with dual port authentication

Cisco IOS XE 17.17.1

The access ports with dual port authentication feature supports dual Ethernet ports on Cisco Catalyst 9136 APs and Cisco Wireless 9178I APs.

Currently, Cisco Wave 2 and Wi-Fi 6 (802.11AX) APs support 802.1X authentication with switch ports for EAP-FAST, EAP-TLS, and EAP-PEAP methods. Configuration and credential provision to APs can be done through the controller.


Note


If the AP is dot1x EAP-FAST, upon reboot, it should perform an anonymous PAC provision using ADH cipher suites to establish an authenticated tunnel. Authentication will fail if RADIUS servers do not support ADH cipher suites.

EAP-FAST protocol

In the EAP-FAST protocol developed by Cisco, to establish a secured TLS tunnel with RADIUS, the AP requires a strong shared key (PAC), provided via in-band or manual out-band provisioning.

  • The EAP-FAST type configuration requires 802.1x credentials configuration for AP, since AP will use EAP-FAST with MSCHAP Version 2 method.

  • Cisco 7925 phones do not support Local EAP.

  • In Cisco Wave 2 APs, for 802.1x authentication using EAP-FAST after PAC provisioning (caused by the initial connection or after AP reload), ensure that you configure the switch port to trigger re-authentication using authentication timer restart num or authentication timer reauthenticate num.

EAP-TLS/EAP-PEAP Protocol

The EAP-TLS protocol or EAP-PEAP protocol provides certificate based mutual EAP authentication.

In EAP-TLS, both the server and the client side certificates are required, where the secured shared key is derived for the particular session to encrypt or decrypt data. In EAP-PEAP, only the server-side certificate is required, and the client authenticates using a password-based protocol in a secured channel.

The EAP-PEAP type configuration requires Dot1x credentials configuration for the AP, and the AP also needs to go through LSC provisioning. AP uses the PEAP protocol with MSCHAP Version 2 method.

802.1X authentication limitations

The 802.1X authentication limitations are:

  • 802.1X is not supported on dynamic ports or Ethernet Channel ports.

  • 802.1X is not supported in a mesh AP scenario.

  • There is no recovery from the controller on credential mismatch or the expiry/invalidity of the certificate on AP. The 802.1X authentication has to be disabled on the switch port to connect the AP back to fix the configurations.

  • There are no certificate revocation checks implemented on the certificates installed in AP.

  • You can provision only one Locally Significant Certificate (LSC) for the AP. Use the same certificate for both CAPWAP DTLS session establishment and 802.1X authentication with the switch. If you disable the global LSC configuration on the controller, the AP deletes the already provisioned LSC.

  • If the AP has clear configurations applied, it will lose the 802.1X EAP Type configuration and the LSC Certificates. The AP should undergo the staging process again if 802.1X is required.

  • 802.1X for trunk port APs on multi-host authentication mode is supported. Network Edge Authentication Topology (NEAT) is not supported on COS APs.

Topology

This topic explains how an AP acts as an 802.1X supplicant and how a switch uses a RADIUS server that supports EAP-FAST, EAP-TLS, and EAP-PEAP to authenticate it.

Summary

When dot1x authentication is enabled on a switch port, the connected device must authenticate itself to send and receive data other than 802.1X traffic.

  • For EAP-FAST authentication, configure the RADIUS server's credentials at the controller and pass them to the AP through a configuration update request.

  • For EAP-TLS or EAP-PEAP, the APs use certificates provided by the local CA server.

Workflow

Figure 1. Topology for 802.1X authentication

Configuring 802.1X authentication type and LSC AP authentication type (GUI)

Complete this task to configure 802.1X authentication type and LSC AP authentication type.

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join Profile page, click Add.

The Add AP Join Profile page is displayed.

Step 3

In the AP > General tab, navigate to AP EAP Auth Configuration.

Step 4

From the EAP Type drop-down list, choose the EAP type as EAP-FAST, EAP-TLS, or EAP-PEAP to configure the dot1x authentication type.

Step 5

From the AP Authorization Type drop-down list, choose either CAPWAP DTLS + or CAPWAP DTLS.

Step 6

Click Save & Apply to Device.


The 802.1X authentication type and LSC AP authentication type are configured.

Configure 802.1X authentication type and LSC AP authentication type (CLI)

Complete this task to configure 802.1X authentication type and LSC AP authentication type.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Specify a profile name.

Example:

Device(config)# ap profile ap-profile-name

Step 3

Configure the dot1x authentication type.

Example:

Device(config-ap-profile)# dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Here

  • max-sessions: Configures the maximum 802.1X sessions initiated per AP.

  • username: Configures the 802.1X username for all APs.

  • eap-type:: Configures the dot1x authentication type with the switch port.

  • lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 4

Configure the dot1x authentication type as EAP-FAST, EAP-TLS, or EAP-PEAP.

Example:

Device(config-ap-profile)# dot1x eap-type {EAP-FAST | EAP-TLS | EAP-PEAP} 

Step 5

Configure the LSC authentication state on the AP.

Example:

Device(config-ap-profile)# dot1x lsc-ap-auth-state {CAPWAP-DTLS | Dot1x-port-auth | Both}

Here

  • CAPWAP-DTLS: Uses LSC only for CAPWAP DTLS.

  • Dot1x-port-auth: Uses LSC only for dot1x authentication with port.

  • Both: Uses LSC for both CAPWAP-DTLS and Dot1x authentication with port.

Step 6

Exit the AP profile configuration mode and enter the privileged EXEC mode.

Example:

Device(config-ap-profile)# end

The 802.1X authentication type and LSC AP authentication type have been configured.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# dot1x eap-type
Device(config-ap-profile)# dot1x eap-type EAP-TLS
Device(config-ap-profile)# dot1x lsc-ap-auth-state Dot1x-port-auth 
Device(config-ap-profile)# end 

Configure the 802.1X username and password (CLI)

Complete these steps to configure the 802.1X username and password.

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join page, click the name of the AP Join profile or click Add to create a new one.

Step 3

Click the Management tab and then click Credentials.

Step 4

Enter the local username, password details, and choose the appropriate local password type.

Step 5

Enter 802.1X username and password details.

Step 6

Choose the appropriate 802.1X password type.

Step 7

Enter the time in seconds after which the session should expire.

Step 8

Enable local credentials or 802.1X credentials, or both, as required.

Step 9

Click Update & Apply to Device.


The configuration of the 802.1X username and password is complete.

Configure the 802.1X username and password (CLI)

Complete these steps to configure the 802.1X username and password.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Specify a profile name for the AP.

Example:

Device(config)# ap profile ap-profile-name

Step 3

Configure the dot1x authentication type.

Example:

Device(config-ap-profile)# dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Here

  • max-sessions: Configures the maximum 802.1X sessions initiated per AP.

  • username: Configures the 802.1X username for all APs

  • eap-type:: Configures the dot1x authentication type with the switch port.

  • lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 4

Configure the dot1x password for all the APs.

Example:

Device(config-ap-profile)# dot1x username username password {0 | 8} password 

Here

  • 0: Specifies an unencrypted password will follow.

  • 8: Specifies an AES encrypted password will follow.


The configuration of the 802.1X username and password is complete.

Device# configure terminal
Device(config)# ap profile ap-profile-name
Device(config-ap-profile)# dot1x eap-type
Device(config-ap-profile)# dot1x username username password 0 password

Enable 802.1X on the switch port (CLI)

Complete these steps to enable 802.1X on the switch port.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enable AAA.

Example:

Device(config)# aaa new-model

Step 3

Create authentication methods to determine user privilege for accessing the privileged command level, enabling the device to communicate with the AAA server.

Example:

Device(config)# aaa authentication dot1x {default | listname} method1[method2...]

Step 4

Enable AAA authorization for network services on 802.1X.

Example:

Device(config)# aaa authorization network group

Step 5

Enable 802.1X port-based authentication, globally.

Example:

Device(config)# dot1x system-auth-control

Step 6

Enter the interface configuration mode and specify the interface to be enabled for 802.1X authentication.

Example:

Device(config)# interface type slot/port

Step 7

Enable 802.1X port-based authentication on the interface.

Example:

Device(config-if)# authentication port-control {auto | force-authorized | force-unauthorized}

Here are the options:

  • auto: Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.

  • force-authorized: Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.

  • force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port.

Step 8

Enable 802.1X authentication on the port with default parameters.

Example:

Device(config-if)# dot1x pae [supplicant | authenticator | both]

Step 9

Enter the privileged EXEC mode.

Example:

Device(config-if)# end

802.1X is enabled on the switch port.

Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius
Device(config)# aaa authorization network group
Device(config)# dot1x system-auth-control
Device(config)# interface fastethernet2/1
Device(config-if)# authentication port-control auto
Device(config-if)# dot1x pae authenticator
Device(config-if)# end

Verify 802.1X on the switch port

To display the authentication state of 802.1X on the switch port, use the following command:
Device# show dot1x all
Sysauthcontrol             Enabled
Dot1x Protocol Version     2
Dot1x Info for FastEthernet1
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both 
HostMode                  = MULTI_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

Verify the authentication type

To display the authentication state of an AP profile, use the following command:
Device#show ap profile default-ap-profile detailed
        AP Profile Name        : default-ap-profile
        Description            : default ap profile
        …
        Dot1x EAP Method       : [EAP-FAST/EAP-TLS/EAP-PEAP/Not-Configured]
        LSC AP AUTH STATE      : [CAPWAP DTLS / DOT1x port auth / CAPWAP DTLS + DOT1x port auth