The IEEE802 LAN\/WAN committee proposed the 802.1X protocol to solve the problem of wireless LAN network security. Later, the 802.1X protocol was widely used in Ethernet as a common access control mechanism for LAN ports, mainly to solve the problems of authentication and security in Ethernet. The 802.1X protocol is a port based network access control protocol. "Port-based network access control" means that, at the port level of the LAN access device, the access to the network resources is controlled through authentication for the connected user equipment. 802.1X Architecture The 802.1X system is a typical Client\/Server structure, as shown in Figure 3, including three entities: Client, Device and Authentication server. Figure 3 802.1X Authentication System Architecture<\/p>\n
802.1X Authentication Method The 802.1X authentication system uses EAP (Extensible Authentication Protocol) to realize the exchange of authentication information between the client, the device and the authentication server.<\/p>\n
802.1X Basic Concepts Controlled\/Uncontrolled Port The device side provides a port for the client to access the LAN. This port is divided into two logical ports: a controlled port and an uncontrolled port. Any frame arriving at this port is visible on both controlled and uncontrolled ports.<\/p>\n
Authorized\/Unauthorized Status The device uses the authentication server to authenticate the client that needs to access the LAN, and controls the authorization\/unauthorized status of the controlled port according to the authentication result (Accept or Reject). Figure 4 Shows the effect of different authorization states on the controlled port on packets passing through this port. The figure compares the port status of two 802.1X authentication systems. The controlled port of system 1 is in an unauthorized state (equivalent to opening the port switch), and the controlled port of system 2 is in an authorized state (equivalent to closing the port switch). Figure 4 Effects of Authorization Status on Controlled Ports The user can control the authorization status of the port through the access control mode configured under the port. The port supports the following three access control modes:<\/p>\n
In the unauthorized state, the controlled port can be set as one-way controlled and two-way controlled.<\/p>\n
Authentication process for 802.1X The 802.1X system supports EAP relay mode and EAP termination mode to interact with the remote RADIUS server to complete authentication. The following descriptions of the two authentication methods take the client's initiative to initiate authentication as an example.<\/p>\n
This method is specified by the IEEE 802.1X standard, and EAP (Extensible Authentication Protocol) is carried in other high-level protocols, such as EAP over RADIUS, so that the extensible authentication protocol packets can reach the authentication server through complex networks. Generally speaking, the EAP relay mode requires the RADIUS server to support EAP attributes: EAP-Message and Message-Authenticator, which are used to encapsulate EAP packets and protect RADIUS packets carrying EAP-Message respectively. The following takes EAP-MD5 as an example to introduce the basic business process, as shown in Figure5 Figure5 IEEE 802.1X EAP relay business process of authentication system The authentication process is as follows:<\/p>\n
SWITCH(config)# dot1x enable<\/code><\/pre>\nSWITCH(config)#no dot1x enable<\/code><\/pre>\nEnable and disable the 802.1X function globally.<\/p>\n
SWITCH(config-if)# dot1x port-control auto<\/code><\/pre>\nSWITCH(config-if)#no dot1x port-control auto<\/code><\/pre>\nThe port enables or disables the 802.1X function.<\/p>\n
SWITCH(config)# radius-server host A.B.C.D auth-port <0-65535> acct-port <0-65535> key WORD<\/code><\/pre>\nSWITCH(config)#no radius-server host A.B.C.D<\/code><\/pre>\nConfigure authentication server information. The default authentication port is 1812 and the accounting port is 1813. Please ensure that the RADIUS server and the device management address communicate with each other.<\/p>\n
SWITCH(config-if)# dot1x protocol-version <1-2><\/code><\/pre>\nSWITCH(config-if)#no dot1x protocol-version<\/code><\/pre>\nConfigure the version number of the EAPOL protocol on the specified port. Optional configuration, default is 2.<\/p>\n
SWITCH(config-if)# dot1x quiet-period <1-65535><\/code><\/pre>\nSWITCH(config-if)#no dot1x quiet-period<\/code><\/pre>\nConfigure the hold time of the HELD state. Optional configuration, the unit is seconds, the default is 60.<\/p>\n
SWITCH(config-if)# dot1x reauthentication<\/code><\/pre>\nSWITCH(config-if)#no dot1x reauthentication<\/code><\/pre>\nThe re-authentication function is enabled on the configuration port. Optional configuration, disabled by default.<\/p>\n
SWITCH(config-if)# dot1x reauthMax <1-10><\/code><\/pre>\nSWITCH(config-if)#no dot1x reauthMax<\/code><\/pre>\nConfigure the maximum number of times for port re-authentication. If the number of re-authentication requests exceeds the limit and there is no response, the port becomes unauthorized. Optional configuration, default 2 times.<\/p>\n
SWITCH(config-if)# dot1x keytxenabled { disable | enable}<\/code><\/pre>\nConfigure the port key transfer function. Optional, disabled by default.<\/p>\n
SWITCH(config-if)# dot1x timeout {re-authperiod <1-4294967295> | server-timeout <1-65535> | supp-timeout <1-65535> | tx-period <1-65535>}<\/code><\/pre>\nSWITCH(config-if)#no dot1x timeout {re-authperiod | server-timeout | supp-timeout | tx-period}<\/code><\/pre>\nConfigure the port timer time. Optional configuration, the default re-authentication period is 3600 seconds, the server timeout is 30 seconds, the client authentication timeout is 30 seconds, and the client request timeout is 30 seconds.<\/p>\n
SWITCH(config)# mac-auth enable<\/code><\/pre>\nSWITCH(config)#no mac-auth enable<\/code><\/pre>\nEnable or disable the MAC authentication function globally.<\/p>\n
SWITCH(config-if)# mac-auth {enable | disable}<\/code><\/pre>\nThe port enables or disables the MAC authentication function.<\/p>\n
SWITCH(config-if)# mac-auth dynamic-vlan-creation {enable | disable}<\/code><\/pre>\nThe port enables or disables dynamic VLAN delivery of MAC authentication. The current version is not supported.<\/p>\n
SWITCH(config-if)# mac-auth auth-fail-action {drop-traffic | restrict-vlan <2-4094>}<\/code><\/pre>\nConfigure the behavior of MAC authentication failure. Optional configuration, default is drop-traffic: drop traffic. The current version is not supported.<\/p>\n
SWITCH(config)# radius-server deadtime <0-1440><\/code><\/pre>\nSWITCH(config)# no radius-server deadtime<\/code><\/pre>\nConfigure the RADIUS server death time.During the authentication process, the dead server will be automatically skipped, and the non-dead server will be selected for authentication. Optional configuration, the default is 0 minutes.<\/p>\n
SWITCH(config)# radius-server key STRING<\/code><\/pre>\nSWITCH(config)# no radius-server key<\/code><\/pre>\nConfigure the RADIUS server default key. Optional configuration.<\/p>\n
SWITCH(config)# radius-server retransmit <1-100><\/code><\/pre>\nSWITCH(config)# no radius-server retransmit<\/code><\/pre>\nConfigure the RADIUS server retransmission times. Optional configuration, the default is 3 times.<\/p>\n
SWITCH(config)# radius-server timeout <1- 60><\/code><\/pre>\nSWITCH(config)# no radius-server timeout<\/code><\/pre>\nConfigure the RADIUS server timeout period. Optional configuration, the default is 5 seconds.<\/p>\n
Examples<\/h2>\n
802.1X Port Authentication Scenario \u200f \u2022 Requirement<\/p>\n
\n- Requires authentication of access users on port GigabitEthernet0\/3 to control their access to the Internet.<\/li>\n
- RADIUS server group IP address 1.1.1.2.<\/li>\n
- Set the shared key to be used when the system exchanges packets with the RADIUS server as name.<\/li>\n<\/ul>\n
\u200f \u2022 Network Diagram Figure 6 802.1X Typical network diagram for 802.1x authentication<\/p>\n
\n- Typical configuration example<\/li>\n<\/ul>\n
Device side:<\/p>\n
SWITCH(config)#dot1x enable<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/3<\/code><\/pre>\nSWITCH(config-if)#dot1x port-control auto<\/code><\/pre>\nSWITCH(config-if)#exit<\/code><\/pre>\nSWITCH(config)#radius-server host 1.1.1.2 key name<\/code><\/pre>\nServer: Configure NAS authentication device 1.1.1.1 and communication key name. Add user account test password test. The corresponding authentication method needs to be supported, such as EAP-MSCHAPv2 Client: Enable 802.1X authentication client and log in with account test. The corresponding authentication method needs to be supported, such as the EAP-MSCHAPv2 method.<\/p>\n
MAC Authentication Scenario<\/h2>\n
\u200f \u2022 Requirement<\/p>\n
\n- Requires authentication of access users on port GigabitEthernet0\/3 to control their access to the Internet.<\/li>\n
- RADIUS server group IP address 1.1.1.2.<\/li>\n
- Set the shared key when the system and the RADIUS server exchange messages as name.<\/li>\n<\/ul>\n
\u200f \u2022 Network Diagram Figure 7 Typical network diagram for MAC authentication<\/p>\n
\n- Typical configuration example<\/li>\n<\/ul>\n
Device side:<\/p>\n
SWITCH(config)# mac-auth enable<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/3<\/code><\/pre>\nSWITCH(config-if)#mac-auth enable<\/code><\/pre>\nSWITCH(config-if)#exit<\/code><\/pre>\nSWITCH(config)#radius-server host 1.1.1.2 key name<\/code><\/pre>\nServer: Configure NAS authentication device 1.1.1.1 and communication key name. Add the client MAC address as the user account and password to the user database. Client: Enable the 802.1X authentication client and log in with any account.<\/p>\n
Display Information<\/h2>\n\n- Show 802.1X Port Authentication Information<\/li>\n<\/ul>\n
SWITCH#show dot1x all<\/code><\/pre>\n802.1X Port-Based Authentication Enabled RADIUS server address: 1.1.1.2:1812 Next radius message id: 0 RADIUS client address: not configured 802.1X info for interface gigabitEthernet0\/6 portEnabled: true – portControl: Auto portStatus: Unauthorized – currentId: 1 protocol version: 2 reAuthenticate: disabled reAuthPeriod: 3600 abort:F fail:F start:F timeout:F success:F PAE: state: Connecting – portMode: Auto PAE: reAuthCount: 1 – rxRespId: 0 PAE: quietPeriod: 60 – reauthMax: 2 – txPeriod: 30 BE: state: Idle – reqCount: 0 – idFromServer: 0 BE: suppTimeout: 30 – serverTimeout: 30 CD: adminControlledDirections: in – operControlledDirections: in CD: bridgeDetected: false KR: rxKey: false KT: keyAvailable: false – keyTxEnabled: false<\/p>\n
SWITCH#show bridge<\/code><\/pre>\nBridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out ———+——+——+——+———–+– —————+—–+———+<\/p>\n","protected":false},"excerpt":{"rendered":"
Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":21,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6370","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6370"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6370\/revisions"}],"predecessor-version":[{"id":6418,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6370\/revisions\/6418"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6370"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}