Wednesday, June 13, 2012

How Does 802.1X Work In A Cisco Environment - A Document I Created

 I made up a document for a company some time back about 802.1X and how it works in that company.  I thought Id post it here in the hopes that its is helpful to you all.  Below is the document:
There are 3 sections to this document, shown below.  Please read this document in its entirety. 
1.  How DOT1X works in "company name"’s environment.
2.  Things you should know about your Cisco SWITCHES:
3.  Things to remember on the ACS Server:

How DOT1X works in "company name"’s environment.

Device Roles in the Dot1x environment:
With 802.1x port-based authentication, the devices in the network have specific roles.
Host:  Requests access to the LAN and switch services and responds to requests from the switch.
Authentication server (  Performs the actual authentication of the host. The authentication server validates the identity of the host and notifies the switch whether or not the host is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the host.
Cisco Switch:  Controls the physical access to the network based on the authentication status of the host.  The switch acts as an intermediary (proxy) between the host and the authentication server, requesting identity information from the host, verifying that information with the authentication  server, and relaying a response to the host. The switch interacts with the RADIUS client. The RADIUS client encapsulates and decapsulates the EAP frames and interacts with the authentication server.

How 802.1x Authentication Works
IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through accessible ports.   802.1x authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the switch port to which the device is connected. After authentication is successful, normal traffic can pass through the switch port.  802.1x controls network access by creating two distinct "virtual access points" at each switch port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device that is connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.

Steps to successful Authentication (Refer to picture below):
1.    Client, when plugged into the network, sends out EAPOL-Start message and waits for response from switch.
2.    Switch sends EAP-Request/Identity.  Basically, a “what is your mac-address/hostname?”.
3.    Client responds with a EAP-Response/Identity message.  Basically a “I am this mac-address/hostname credentials”.
4.    Switch forwards this over to the ACS radius server ( 
5.    ACS radius server sends back a radius access-request message, saying “what is your userID/password credentials?”.
6.    Switch forwards the message to the client, saying “userID/password please”.
7.    Client responds with a EAP-Response/OTP (one time password) message.  “I am userID/password”.
8.    Switch forwards this message over to the ACS radius server.
9.    ACS radius server responds with a Radius Access-Accept message.  Either a “yes, you can”.  If password is not right, it’s a “no, you cant”.

Steps taken when the client does not support 802.1x:
  In "company name"’s network, if the client does not support 802.1x, no messages are sent are sent from the client, therefore when the “guest vlan” is set on the port, the client is then moved over to the guest vlan on the network.  If there is not guest vlan, there is no access for the client and it will be shut down.

Things you should know about your Cisco SWITCHES:

Port States:
force-authorized:  Disables 802.1x authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives
normal traffic without 802.1x-based authentication of the host. This is the default setting.
force-unauthorized:  Causes the port to remain in the unauthorized state, ignoring all attempts by the host to authenticate. The switch cannot provide authentication services to the host through the interface.
auto:  Enables 802.1x authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the host and begins relaying authentication messages between the host and the authentication server. Each host attempting to access the network is uniquely identified by the switch by using the host’s MAC address.

Guest VLAN:
You can use the guest VLAN feature to enable non-802.1x capable hosts to access networks that use 802.1x authentication.  Hosts that do not have 802.1x supplicant capability will not be able to respond the EAPoL requests initiated by the switch. Normally the port will be shut down if the switch identifies that the connected host is clientless. If the guest VLAN feature is enabled, the port will be associated with a different VLAN instead of shutting down.
Example:  Cut and paste from "company name" switch SSA-MDF-1
aaa authentication dot1x default group radius   Create an 802.1X authentication method list.
dot1x system-auth-control      Enable 802.1X authentication globally on the switch.

****NOTE****:  Below port is in correct configuration for enabled dot1x:
interface FastEthernet0/11
 switchport access vlan 600
 switchport mode access
 switchport voice vlan 301
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip trust
 dot1x pae authenticator   Enables 802.1X authentication on the port with default parameters.
 dot1x port-control auto      Enable 802.1X authentication on the interface.
 dot1x host-mode multi-host   Allows multiple hosts (clients) on an 802.1X-authorized port.
 dot1x timeout tx-period 15   Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request.
 dot1x guest-vlan 620   Enables “guest vlan” access for clients that do not support 802.1x. Port will not shut down!
 spanning-tree portfast

****NOTE****:  Below port is in “force-authorized” configuration for enabled dot1x.  The command “dot1x port-control auto” is not present below, which will end up in default mode, “force-authorized” mode:
interface FastEthernet0/27
 switchport access vlan 600
 switchport mode access
 switchport voice vlan 301
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip trust
 dot1x pae authenticator
 dot1x host-mode multi-host
 dot1x timeout tx-period 15
 dot1x guest-vlan 620
 spanning-tree portfast

*****NOTE*****:  I have noticed on this particular example that the Radius server configuration is NOT complete on the switch SSA-MDF-1.  I have not checked the others, but if one isn’t correct, then there may be others as well.

*****NOTE*****:  These switches/routers have to be configured as devices that authenticate to the Radius server.  If they are not configured in the ACS Server, then they will not authenticate with ACS.   See next section for where to go for this.

Things to remember on the ACS Server:
To add the Cisco switches/routers to be able to authenticate via the ACS Radius server, go to the following:
Network Configuration --> Network Groups --> Dot1x --> Add Device.

*****NOTE*****:  On the ACS Server, under Shared Profile Components --> Network Access Restrictions --> Dot1x, this is the profile defined for Dot1x.  Not much there accept a wide open profile to permit.  See screenshot below:

*****NOTE*****:  On the ACS Server, under Group Setup --> select the group you would like to edit, if any.  In the group settings for the group, you can select DOT1X as a requirement for the group to access the network.  See screenshot below: