 Feedback
|
Table Of Contents
Configuring IEEE 802.1x Port-Based Authentication
Prerequisites for Configuring IEEE 802.1x Port-Based Authentication
Restrictions for Configuring IEEE 802.1x Port-Based Authentication
IEEE 802.1x Authentication Configuration
Upgrading from a Previous Software Release
Information About IEEE 802.1x Port-Based Authentication
Authentication Initiation and Message Exchange
Ports in Authorized and Unauthorized States
IEEE 802.1x with RADIUS Accounting
IEEE 802.1x Accounting Attribute-Value Pairs
How to Use IEEE 802.1x Authentication With Other Features
IEEE 802.1x Authentication with VLAN Assignment
Prerequisites for IEEE 802.1x VLAN Assignment
Restrictions for IEEE 802.1x VLAN Assignment
IEEE 802.1x Authentication with Guest VLAN
IEEE 802.1x with RADIUS-Supplied Session Timeout
IEEE 802.1x Authentication with Voice VLAN Ports
Enabling IEEE 802.1x SNMP Notifications
Configuration Examples for IEEE 802.1x Features
Enabling IEEE 802.1x and AAA on a Port: Example
Enabling IEEE 802.1x RADIUS Accounting: Example
Configuring IEEE 802.1x with Guest VLAN: Example
Configuring RADIUS-Provided Session Timeout: Example
Configuring IEEE 802.1x with Voice VLAN: Example
Displaying IEEE 802.1x Statistics and Status: Example
Feature Information for Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Port-Based Authentication
First Published: December 7, 2006Last Updated: January 8, 2007This document describes how to configure IEEE 802.1x port-based authentication on Cisco integrated services routers (ISRs). IEEE 802.1x authentication prevents unauthorized devices (supplicants) from gaining access to the network.
Cisco ISRs can combine the functions of a router, a switch, and an access point, depending on the fixed configuration or installed modules. The switch functions are provided by either built in switch ports or a plug-in module with switch ports.
Note
This document describes IEEE 802.1x security features available only on the switch ports in a Cisco ISR.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Configuring IEEE 802.1x Port-Based Authentication" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
•
Prerequisites for Configuring IEEE 802.1x Port-Based Authentication
The features described in this document are available only on switch ports installed in Cisco ISR routers. The IEEE 802.1x port-based authentication features are available in Cisco IOS Release 12.4(11)T on Cisco 800, 870, 1800, 2800, and 3800 series ISRs that support switch ports.
The fixed configuration Cisco 1800 series router platforms and the Cisco 870 series routers have integrated 4-port and 8-port switches.
The following cards or modules support switch ports:
•
–
–
•
–
–
Note
To determine whether your router has switch ports that can be configured with the IEEE 802.1x port-based authentication feature, use the show interfaces switchport command.
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.
Restrictions for Configuring IEEE 802.1x Port-Based Authentication
These sections describe the configuration restrictions for these features:
•
•
•
IEEE 802.1x Authentication Configuration
These are the IEEE 802.1x authentication configuration restrictions:
•
•
•
If the VLAN to which an IEEE 802.1x port is assigned is shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
•
–
–
–
–
Note
VLAN Assignment Configuration
This is the restriction for configuring VLAN assignment and the guest VLAN feature on switch ports in an ISR router:
•
Guest VLAN Configuration
•
•
Upgrading from a Previous Software Release
In Cisco IOS Release 12.4(11)T, the implementation for IEEE 802.1x authentication changed from the previous releases. When IEEE 802.1x authentication is enabled, information about Port Fast is no longer added to the configuration.
Note
dot1xpae authenticator
Information About IEEE 802.1x Port-Based Authentication
Note
The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a port before making available any services offered by the device or the network.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
These sections describe IEEE 802.1x port-based authentication:
•
IEEE 802.1x Authenticator
The following sections describe the basic authentication process:
•
•
Device Roles
With IEEE 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 1.
Figure 1 IEEE 802.1x Device Roles
•
Note
•
•
When the authenticator receives EAPOL frames and relays them to the authentication server, the EAPOL is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP frames are not modified during encapsulation, and the authentication server must support EAP within the native frame format. When the authenticator receives frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
Authentication Initiation and Message Exchange
During IEEE 802.1x authentication, the router or the supplicant can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the router initiates authentication when the link state changes from down to up or periodically if the port remains up and unauthenticated. The router sends an EAP-request/identity frame to the supplicant to request its identity. Upon receipt of the frame, the supplicant responds with an EAP-response/identity frame.
However, if during bootup, the supplicant does not receive an EAP-request/identity frame from the router, the supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the router to request the supplicant's identity.
Note
When the supplicant supplies its identity, the router begins its role as the intermediary, passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails. If the authentication succeeds, the router port becomes authorized. If the authentication fails, authentication can be retried, the port might be assigned to a VLAN that provides limited services, or network access is not granted. For more information, see the "Ports in Authorized and Unauthorized States" section.
The specific exchange of EAP frames depends on the authentication method being used. Figure 2 shows a message exchange initiated by the supplicant using the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 2 Message Exchange
Authentication Process
To configure IEEE 802.1x port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.
The AAA process begins with authentication. When IEEE 802.1x port-based authentication is enabled and the device attempting to authenticate is IEEE 802.1x-capable (meaning it supports the supplicant functionality) these events occur:
•
The router reauthenticates a supplicant when one of these situations occurs:
•
You can configure the reauthentication timer to use a router-specific value or to be based on values from the RADIUS server.
After IEEE 802.1x authentication using a RADIUS server is configured, the router uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which reauthentication occurs.
The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during reauthentication. The actions can be Initialize or ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during reauthentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request), the session is not affected during reauthentication.
•
Ports in Authorized and Unauthorized States
During IEEE 802.1x authentication, depending on the port state, the router can grant a supplicant access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress traffic except for IEEE 802.1x authentication, CDP, and STP packets. When a supplicant is successfully authenticated, the port changes to the authorized state, allowing all traffic for the supplicant to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and IEEE 802.1x protocol packets before the supplicant is successfully authenticated.
If a client that does not support IEEE 802.1x authentication connects to an unauthorized IEEE 802.1x port, the router requests the client's identity. In this situation, if the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.
In contrast, when an IEEE 802.1x-enabled supplicant connects to a port that is not running the IEEE 802.1x standard, the supplicant initiates the authentication process by sending the EAPOL-start frame. When no response is received, the supplicant sends the request for a fixed number of times. Because no response is received, the supplicant begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the dot1x port-control interface configuration command and these keywords:
•
•
•
If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated supplicant are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the router can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a supplicant logs off, it sends an EAPOL-logoff message, causing the router port to change to the unauthorized state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
For information about configuring IEEE 802.1x port-based authentication, see the "Configuring IEEE 802.1x Authentication" section of the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(25)SEE.
IEEE 802.1x Host Mode
Note
You can configure an IEEE 802.1x port for single-host or for multi-host mode. In single-host mode (see Figure 1), only one supplicant can be authenticated by the IEEE 802.1x-enabled switch port. The router detects the supplicant by sending an EAPOL frame when the port link state changes to the up state. If a supplicant leaves or is replaced with another supplicant, the router changes the port link state to down, and the port returns to the unauthorized state.
In multi-host mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. In this mode, only one of the attached supplicants must be authorized for all supplicants to be granted network access. If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the router denies network access to all of the attached supplicants.
Note
For information about configuring IEEE 802.1x host mode, see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(25)SEE.
IEEE 802.1x with RADIUS Accounting
Note
This section describes IEEE 802.1x RADIUS accounting and includes the following topics:
•
•
IEEE 802.1x RADIUS Accounting
Note
Note
IEEE 802.1x RADIUS accounting relays important events to the RADIUS server (such as the supplicant's connection session). This session is defined as the interval beginning when the supplicant is authorized to use the port and ending when the supplicant stops using the port.
Note
After the supplicant is authenticated, the switch sends accounting-request packets to the RADIUS server, which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value (AV) pairs to report various events and related information to the RADIUS server. The following events are tracked:
•
•
•
•
•
When the port state transitions between authorized and unauthorized, the RADIUS messages are transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS server, which must be configured to log accounting messages.
This is the IEEE 802.1x RADIUS accounting process
1.
2.
3.
4.
5.
6.
7.
8.
The switch port does not log IEEE 802.1x accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.
To configure IEEE 802.1x accounting, you need to do the following tasks:
•
•
•
Enabling AAA system accounting along with IEEE 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. When the accounting RADIUS server receives notice of a system reload event, the server can infer that all active IEEE 802.1x sessions are appropriately closed.
Because RADIUS uses the unreliable transport protocol User Datagram Protocol (UDP), accounting messages may be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, the following system message appears:
Accounting message %s for session %s failed to receive Accounting Response.When the stop message is not transmitted successfully, a message like the following appears:
00:09:55: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 172.20.50.145 sam 11/06/03 07:01:16 11000002 failed to receive Accounting Response.Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.
For information about configuring IEEE 802.1x RADIUS accounting, see the "Enabling 802.1X Accounting" section of the "Configuring 802.1X Port-Based Authentication" chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SGA.
IEEE 802.1x Accounting Attribute-Value Pairs
The information sent to the RADIUS server is represented in the form of AV pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)
AV pairs are automatically sent by a router that is configured for IEEE 802.1x accounting. Three types of RADIUS accounting packets are sent by a router:
•
•
•
Table 1 lists the AV pairs and when they are sent by the router:
Table 1 Accounting AV Pairs
Attribute[1]
User-Name
Always
Always
Always
Attribute[4]
NAS-IP-Address
Always
Always
Always
Attribute[5]
NAS-Port
Always
Always
Always
Attribute[6]
Service-Type
Always
Always
Always
Attribute[8]
Framed-IP-Address
Never
Sometimes1
Sometimes1
Attribute[25]
Class
Always
Always
Always
Attribute[30]
Called-Station-ID
Always
Always
Always
Attribute[31]
Calling-Station-ID
Always
Always
Always
Attribute[40]
Acct-Status-Type
Always
Always
Always
Attribute[41]
Acct-Delay-Time
Always
Always
Always
Attribute[42]
Acct-Input-Octets
Never
Always
Always
Attribute[43]
Acct-Output-Octets
Never
Always
Always
Attribute[44]
Acct-Session-ID
Always
Always
Always
Attribute[45]
Acct-Authentic
Always
Always
Always
Attribute[46]
Acct-Session-Time
Never
Never
Always
Attribute[47]
Acct-Input-Packets
Never
Always
Always
Attribute[48]
Acct-Output-Packets
Never
Always
Always
Attribute[49]
Acct-Terminate-Cause
Never
Never
Always
Attribute[61]
NAS-Port-Type
Always
Always
Always
1 The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table.
You can configure the ISR to send Cisco vendor-specific attributes (VSAs) to the RADIUS server. Table 2 lists the available Cisco AV pairs.
Note
You can view the AV pairs that are being sent by the router by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.4T, at this URL:
http://www.cisco.com/en/US/docs/ios/12_4t/debug/command/reference/tdb_r.html
For more information about AV pairs, see RFC 3580, IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.
How to Use IEEE 802.1x Authentication With Other Features
The following sections describe how to use IEEE 802.1x Authentication in combination with other features on the switch ports on an ISR router.
•
•
•
•
•
IEEE 802.1x Authentication with VLAN Assignment
Note
In Cisco IOS Release 12.4(11)T and later releases, the switch ports support IEEE 802.1x authentication with VLAN assignment. After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port. You can use the VLAN Assignment feature to limit network access for certain users.
The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the supplicant connected to the switch port.
This section contains the following information about IEEE 802.1x VLAN assignment:
•
•
Prerequisites for IEEE 802.1x VLAN Assignment
Before the VLAN Assignment feature is implemented, the following conditions must be met:
•
•
•
•
Restrictions for IEEE 802.1x VLAN Assignment
These are the restrictions that apply to the VLAN Assignment feature:
•
–
–
–
–
Note
•
–
–
•
•
•
Configuring VLAN Assignment
Note
To configure VLAN assignment on a switch port, you need to perform these tasks:
•
•
Note
•
–
–
–
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802" (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user.
For examples of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section of the "Configuring Switch-Based Authentication" chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(25)SEE.
IEEE 802.1x Authentication with Guest VLAN
Note
You can configure a guest VLAN for each IEEE 802.1x-capable switch port on the router to provide limited services to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the router assigns clients to a guest VLAN when the router does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client.
The router maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the router determines that the device connected to that interface is an IEEE 802.1x-capable client, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, the interface changes to the guest VLAN state.
In Cisco IOS Release 12.4(11)T and later releases, if devices send EAPOL packets to the router during the lifetime of the link, the router does not allow clients that fail authentication access to the guest VLAN.
Note
Any number of IEEE 802.1x-incapable clients are allowed access when the router port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multi-host mode.
You can configure any active VLAN except a remote switch port analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
For information about configuring a guest VLAN, see the "Configuring a Guest VLAN" section of the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the Catalyst 3750 Switch Software Configuration Guide, 12.2(25)SEE.
IEEE 802.1x with RADIUS-Supplied Session Timeout
Note
You can specify whether a switch port uses a locally configured or a RADIUS-provided reauthentication timeout. If the switch port is configured to use the local timeout, it reauthenticates the host when the timer expires.
If the switch port is configured to use the RADIUS-provided timeout, it looks in the RADIUS Access-Accept message for the Session-Timeout and optional Termination-Action attributes. The switch port uses the value of the Session-Timeout attribute to determine the duration of the session, and it uses the value of the Termination-Action attribute to determine the switch action when the session's timer expires.
If the Termination-Action attribute is present and its value is RADIUS-Request, the switch port reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the switch port terminates the session.
Note
If the switch port is configured to use the RADIUS-supplied timeout, but the Access-Accept message does not include a Session-Timeout attribute, the switch port never reauthenticates the supplicant. This behavior is consistent with Cisco's wireless access points.
For details on how to configure RADIUS-provided session timeout, see the "Configuring RADIUS-Provided Session Timeouts" section in the "Configuring 802.1X Port-Based Authentication" chapter of the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG.
IEEE 802.1x Authentication with Voice VLAN Ports
Note
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multi-host mode, additional supplicants can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multi-host mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the router recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the router drops packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Note
For information about configuring IEEE 802.1x with voice VLANs, see the "Configuring IEEE 802.1X with Voice VLAN" section in the "Configuring 802.1X Port-Based Authentication" chapter of the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SG.
Enabling IEEE 802.1x SNMP Notifications
Note
Follow the steps below to enable Simple Network Management Protocol (SNMP) notifications for IEEE 802.1x features on the switch ports.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
IEEE 802.1x MIB Support
Cisco IOS Release 12.4(11)T provides support for the following MIBs that provide SNMP access to IEEE 802.1x feature components:
•
•
The IEEE8021-PAE-MIB supports reporting of the following information:
•
•
The Cisco-PAE-MIB provides SNMP support for the logging and reporting of events, including:
•
•
•
Configuration Examples for IEEE 802.1x Features
This section provides the following comprehensive configuration examples:
•
•
•
•
•
•
Enabling IEEE 802.1x and AAA on a Port: Example
This example shows how to enable IEEE 802.1x and AAA on Fast Ethernet port 2/1, and how to verify the configuration:
Note
This example shows how to enable IEEE 802.1x and AAA on Fast Ethernet port 2/1, and how to verify the configuration:
Router# configure terminalRouter(config)# dot1x system-auth-controlRouter(config)# aaa new-modelRouter(config)# aaa authentication dot1x default group radiusRouter(config)# interface fastethernet2/1Router(config-if)# switchport mode accessRouter(config-if)# dot1x pae authenticatorRouter(config-if)# dot1x port-control autoRouter(config-if)# endRouter# show dot1x interface fastethernet7/1 detailsDot1x Info for FastEthernet7/1-----------------------------------PAE = AUTHENTICATORPortControl = AUTOControlDirection = BothHostMode = SINGLE_HOSTReAuthentication = DisabledQuietPeriod = 60ServerTimeout = 30SuppTimeout = 30ReAuthPeriod = 3600 (Locally configured)ReAuthMax = 2MaxReq = 2TxPeriod = 30RateLimitPeriod = 0Dot1x Authenticator Client List-------------------------------Supplicant = 1000.0000.2e00Auth SM State = AUTHENTICATEDAuth BEND SM Stat = IDLEPort Status = AUTHORIZEDAuthentication Method = Dot1xAuthorized By = Authentication ServerVlan Policy = N/AEnabling IEEE 802.1x RADIUS Accounting: Example
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server. The first command configures the RADIUS server, specifying port 1612 as the authorization port, 1813 as the UDP port for accounting, and rad123 as the encryption key:
Router# configure terminalRouter(config)# radius-server host 172.20.39.46 auth-port 1812 acct-port 1813 key rad123Router(config)# aaa accounting dot1x default start-stop group radiusRouter(config)# aaa accounting system default start-stop group radiusRouter(config)# endRouter#
Note
Configuring IEEE 802.1x with Guest VLAN: Example
This example shows how to enable the guest VLAN feature and to specify VLAN 5 as a guest VLAN:
Router# configure terminalRouter(config)# interface gigabitethernet0/1Router(config-if)# switchport mode accessRouter(config-if)# dot1x pae authenticatorRouter(config-if)# dot1x guest-vlan 5Router(config-if)# dot1x port-control autoRouter(config-if)# endRouter#Configuring RADIUS-Provided Session Timeout: Example
This example assumes you have enabled IEEE 802.1x reauthentication and shows how to configure the switch port to derive the reauthentication period from the server and to verify the configuration:
Router# configure terminalRouter(config)# interface fastethernet7/1Router(config-if)# switchport mode accessRouter(config-if)# dot1x pae authenticatorRouter(config-if)# dot1x timeout reauth-period serverRouter(config-if)# endRouter#Configuring IEEE 802.1x with Voice VLAN: Example
This example shows how to enable IEEE 802.1x with voice VLAN feature on Fast Ethernet interface 5/9:
Router# configure terminalRouter(config)# interface fastethernet5/9Router(config-if)# switchport access vlan 2Router(config-if)# switchport mode accessRouter(config-if)# switchport voice vlan 10Router(config-if)# dot1x pae authenticatorRouter(config-if)# dot1x port-control autoRouter(config-if)# endRouter(config# endRouter#Displaying IEEE 802.1x Statistics and Status: Example
To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command.
To display the IEEE 802.1x administrative and operational status for the switch, use the show dot1x all [details | statistics | summary] privileged EXEC command. To display the IEEE 802.1x administrative and operational status for a specific port, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, see the command reference for this release.
This example shows the output of the show dot1x all command:
Router-871# show dot1x allSysauthcontrol EnabledDot1x Protocol Version 2Dot1x Info for FastEthernet1-----------------------------------PAE = AUTHENTICATORPortControl = AUTOControlDirection = BothHostMode = MULTI_HOSTReAuthentication = DisabledQuietPeriod = 60ServerTimeout = 30SuppTimeout = 30ReAuthPeriod = 3600 (Locally configured)ReAuthMax = 2MaxReq = 2TxPeriod = 30RateLimitPeriod = 0Router-871#This example shows the output of the show dot1x summary command:
Router-871# show dot1x all summaryInterface PAE Client Status------------------------------------------------------------------------------------------Fa1 AUTH 000d.bcef.bfdc AUTHORIZEDAdditional References
The following sections provide references related to the IEEE 802.1x Port-Based Authentication feature.
Related Documents
Configuring IEEE 802.1x Port-Based Authentication
The chapter "Configuring 802.1X Port-Based Authentication" in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(31)SGA
IEEE 802.1x Commands
Catalyst 4500 Series Switch Cisco IOS Command Reference, Release 12.2(31)SGA
IEEE 802.1x Commands
Catalyst 3750 Switch Command Reference, Cisco IOS Release 12.2(25)SEE
VPN Access Control Using IEEE 802.1x Authentication
The "VPN Access Control Using 802.1X Authentication" section in the "Configuring 802.1X Authentication Services" chapter in Part 6: "Other Security Features" of the Cisco IOS Security Configuration Guide, Release 12.4
Standards
MIBs
•
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents modified commands only.
Modified Commands
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name
no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.
Table 3 contains descriptions of keywords for aaa accounting methods.
In Table 3, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 4.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see "RADIUS Attributes" in the "Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, see "TACACS+ Attributes" in the Cisco IOS Security Configuration Guide.
Note
Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, the list-name argument must be ssg_broadcast_accounting. For more information about configuring SSG, see the chapter "Configuring Accounting for SSG" in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4T.
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "sg_water" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "water."
aaa accounting system default vrf water start-stop group sg_waterThe following example defines a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting.
aaa new modelaaa authentication dot1x default group radiusaaa authorization dot1x default group radiusaaa accounting dot1x default start-stop group radiusThe following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)
aaa accounting network tunnel start-stop group radiusaaa accounting network session start-stop group radiusRelated Commands
dot1x guest-vlan
To specify an active VLAN as an IEEE 802.1x guest VLAN, use the dot1x guest-vlan command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
Command Default
No guest VLAN is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can configure a guest VLAN on a static-access port.
For each IEEE 802.1x port, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication. These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x capable.
When you enable a guest VLAN on an IEEE 802.1x port, the software assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
With Cisco IOS Release 12.4(11)T and later, the switch port maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x switch ports in single-host or multi-host mode.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. You should decrease the settings for the IEEE 802.1x authentication process using the dot1x max-reauth-req and dot1x timeout tx-period interface configuration commands. The amount of decrease depends on the connected IEEE 802.1x client type.
Examples
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:
Switch(config-if)# dot1x timeout max-reauth-req 3Switch(config-if)# dot1x timeout tx-period 15Switch(config-if)# dot1x guest-vlan 2You can display the IEEE 802.1x administrative and operational status for the device or for the specified interface by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
snmp-server enable traps
To enable all Simple Network Management Protocol (SNMP) notification types that are available on your system, use the snmp-server enable traps command in global configuration mode. To disable all available SNMP notifications, use the no form of this command.
snmp-server enable traps [notification-type] [vrrp]
no snmp-server enable traps [notification-type] [vrrp]
Syntax Description
Command Default
No notifications controlled by this command are sent.
Command Modes
Global configuration
Command History
Usage Guidelines
For additional notification types, see the Related Commands table for this command.
SNMP notifications can be sent as traps or inform requests. This command enables both traps and inform requests for the specified notification types. To specify whether the notifications should be sent as traps or informs, use the snmp-server host [traps | informs] command.
To configure the router to send these SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, all notification types are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. To enable multiple types of notifications, you must issue a separate snmp-server enable traps command for each notification type and notification option.
Most notification types are disabled by default but some cannot be controlled with the snmp-server enable traps command.
The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send notifications, you must configure at least one snmp-server host command.
Examples
The following example shows how to enable the router to send all traps to the host specified by the name myhost.cisco.com, using the community string defined as public:
Router(config)# snmp-server enable trapsRouter(config)# snmp-server host myhost.cisco.com publicThe following example shows how to configure an alarm severity threshold of 3:
Router# snmp-server enable traps alarms 3The following example shows how to enable the generation of a DSP operational state notification from from the command-line interface (CLI):
Router(config)# snmp-server enable traps dsp oper-stateThe following example shows how to enable the generation of a DSP operational state notification from a network management device:
setany -v2c 1.4.198.75 test cdspEnableOperStateNotification.0 -i 1cdspEnableOperStateNotification.0=true(1)The following example shows how to send no traps to any host. The Border Gateway Protocol (BGP) traps are enabled for all hosts, but the only traps enabled to be sent to a host are ISDN traps (which are not enabled in this example).
Router(config)# snmp-server enable traps bgpRouter(config)# snmp-server host user1 public isdnThe following example shows how to enable the router to send all inform requests to the host at the address myhost.cisco.com, using the community string defined as public:
Router(config)# snmp-server enable trapsRouter(config)# snmp-server host myhost.cisco.com informs version 2c publicThe following example shows how to send HSRP MIB traps to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps hsrpRouter(config)# snmp-server host myhost.cisco.com traps version 2c public hsrpThe following example shows that VRRP will be used as the protocol to enable the traps:
Router(config)# snmp-server enable traps vrrpRouter(config)# snmp-server host myhost.cisco.com traps version 2c vrrpThe following example shows how to send IEEE 802.1x MIB traps to the host myhost.cisco.com using the community string defined as public:
Router(config)# snmp-server enable traps dot1xRouter(config)# snmp-server host myhost.cisco.com traps publicRelated Commands
Feature Information for Configuring IEEE 802.1x Port-Based Authentication
Table 5 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.4(11)T or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 5 Feature Information for Configuring IEEE 802.1x Port-Based Authentication
IEEE 802.1x Authenticator
12.3(4)T
This feature was introduced to prevent unauthorized devices (supplicants) from gaining access to the network.
This feature is available on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
In Cisco IOS Release 12.4(11)T, this feature was modified to include the other features listed in Table 5.
The following sections provide information about this feature:
IEEE 802.1x RADIUS Accounting
12.4(11)T
This feature relays important events to the RADIUS server (such as the supplicant's connection session). This information is used for security and billing purposes.
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
•
IEEE 802.1x—VLAN Assignment
12.4(11)T
This feature allows the RADIUS server to send the VLAN assignment to configure the switch port.
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
•
IEEE 802.1x Guest VLAN
12.4(11)T
This feature allows you to configure a guest VLAN for each IEEE 802.1x-capable switch port on the router to provide limited services to clients, such as downloading the IEEE 802.1x client.
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
•
IEEE 802.1x RADIUS-Supplied Session Timeout
12.4(11)T
This feature allows you to specify whether a switch port uses a locally configured or a RADIUS-provided reauthentication timeout.
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
•
IEEE 802.1x—Voice VLAN
12.4(11)T
This feature allows you to configure a special access port associated with two VLAN identifiers:
•
•
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
•
IEEE 802.1x MIB Support
12.4(11)T
This feature provides support for the following MIBs:
•
•
In Cisco IOS Release 12.4(11)T, this feature was introduced on the following Cisco ISRs equipped with cards or modules that include switch ports:
•
•
•
•
•
The following sections provide information about this feature:
Glossary
authentication server—Entity that provides an authentication service to an authenticator. Typically, a RADIUS server operates as an authentication server, with RADIUS acting as a transport for EAP from the authenticator to the authentication server.
authenticator—Facilitates the authentication and granting of service to a supplicant. Typically, an authenticator transposes an EAP conversation from supplicant to authentication server. An authenticator is usually an EAP conduit, but is aware of the conversation.
EAPOL—Extensible Authentication Protocol over LAN. Primarily, IEEE 802.1x is an encapsulation definition for EAP over IEEE 802 media.The key protocol for the transport of an end-to-end EAP conversation via IEEE 802 media between a supplicant and an authenticator.
IEEE 802.1x—Authentication standard for port-based access control over any IEEE 802 or PPP media. Used primarily to identify users before allowing their traffic onto the network. IEEE 802.1x is a framework designed to address and provide port-based access control using authentication.
supplicant—Usually a laptop or other device that requires authentication or has to access service from a network point of attachment.
Note
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2007 Cisco Systems, Inc. All rights reserved.
