Configuring 802.1x on Cisco Catalyst Switches
The following describes how to configure 801.x port-based authentication on Cisco switches, using either
Switch IOS or CatOS.
Note: Cisco refers to 802.1x as “dot1x”.
This is the base configuration required to support 802.1x on Cisco switch ports:
IOS Switch Config:
config terminal
aaa new-model (This enables AAA/Radius)
aaa authentication dot1x default group radius
(The above creates an 802.1x “method list”)
ip radius source-interface FastEthernet 0/0
(The above defines the RADIUS source-address)
radius-server host 10.1.240.43 (This defines the RADIUS server address)
radius-server key MyKey123 (This defines the RADIUS authorization key)
dot1x system-auth-control (This “turns on” 802.1x authentication on the switch. This
command is required as of Switch IOS 12.1(14), not prior IOS. )
interface range FastEthernet 0/0 – 48
switchport access vlan 5 (Defines the VLAN the specific ports belongs to)
switchport mode access (This turns off VLAN “dynamic” mode. No trunking allowed)
dot1x port-control auto (This enables 802.1x on specific ports)
dot1x guest-vlan 666 (Optional: This defines what VLAN to assign to clients
that fail authentication 3 times. Otherwise, port closes.)
CatOS Switch Config:
set radius server 10.1.240.43 (This defines the RADIUS server address)
set dot1x system-auth-control enable (This “turns on” 802.1x authentication)
set port dot1x 0/1-48 port-control auto (This enables 802.1x on specific ports)
set port dot1x 0/1-48 auth-fail vlan 666 (This defines what VLAN to assign to
clients that fail authentication 3 times)
The last line in the configurations defines what to do when a client fails authentication. The switch will allow 3
attempts before declaring the connection a failure. The switch will then prevent access to the default VLAN,
and instead re-map the connection to a default VLAN, which standard policy usually defines as an external
VLAN with limited network access.
The time between the 3rd authentication failure and VLAN re -assignment is 3 minutes.
Show commands:
IOS Switch:
show dot1x ?
show dot1 statistics
CatOS Switch:
show port dot1x ?
show port dot1x auth-fail-vlan (Shows who failed authentication)
Cisco switches have the ability to periodically refresh 802.1x authentication, if required. This is a global
configuration and cannot be defined on a per-port basis. It is enabled like this:
IOS Switch:
config terminal
dot1x reauthentication (This activates re-authentication)
dot1x timeout re-authperiod 4000 (This defines the timeout value, in seconds.
The default is 3,600 seconds, or 1 hour. The
range of values is 1 – 4,294,967,295)
CatOS Switch: (can be enabled per-port)
set dot1x re-authperiod 4000
set port dot1x 0/5 re-authentication enable
You can force a manual re -authentication on a per-port basis, with this command:
IOS Switch: dot1x re-authenticate interface FastEthernet 0/5
CatOS Switch: set port dot1x 0/5 re-authenticate
This will force an already-connected client to re-submit its EAP credentials for authentication. This is useful for
disconnecting suspect users (i.e. auditors).
You can also force an interface into a “force authorized” state, basically unlocking an interface in an 802.1x
failed/unauthorized state:
IOS Switch: interface FastEthernet 0/5
dot1x force-authorized
dot1x force-unauthorized (This locks out the user)
CatOS Switch: set port dot1x 0/5 port-control force-authorized
set port dot1x 0/5 port-control force-unauthorized
(The above locks out the user)
Example configuration, on a Cisco 2950 switch:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 10.2.3.1 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key MyRadiusKey
interface FastEthernet0/1
switchport access vlan 5
switchport mode access
Tidak ada komentar:
Posting Komentar