802.1x Protocol
The 802.1x (dot1x) standard describes a way to authenticate hosts (or supplicants) and to allow connection only to a list of allowed hosts pre-configured on an authentication server. The authentication is performed by the switch (authenticator) which negotiates the authentication with a RADIUS server (authentication server). This allows to block traffic from non-authenticated sources.
The 802.1x protocol defines the following roles:
Supplicant – the host. It provides the authentication credentials to the authenticator and awaits approval.
Authenticator – the device that connects the supplicant to the network, and checks the authentication with the authentication server. The authenticator is also in charge of blocking and isolating of new client till authenticated and allowing communication once the client has passed the authentication. The switch acts as an authenticator.
Authentication server – a RADIUS server which can authenticate the user.
The 802.1x is available only on access physical ports. It is not available on LAG and MLAG ports.
A local analyzer port cannot support 802.1x protocol.
802.1x cannot be activated on router port interfaces.
802.1x cannot run on a port configured to switchport trunk or hybrid.
Management interfaces cannot be configured as 802.1x port access entity (PAE) authenticators.
The following operating modes are supported in 802.1x:
Single host – only one supplicant can communicate through the port.Once authentication of the supplicant is accepted by the authentication server, the switch allows it access. If the supplicant logs off or the port state is changed, the port becomes unauthenticated. And if a different supplicant tries to access through this port, its bidirectional traffic is discarded (including authentication traffic).
NoteAn exception to this is multicast and broadcast traffic which do get transmitted over the interface once authenticated and are exposed to an unauthorized supplicant if it exists.
Multi-host mode – allows connection of multiple hosts over a single port. Only the first supplicant is authenticated. Subsequent hosts have network access without the need to authenticate.
Enable 802.1x protocol.
switch
(config) # protocol dot1xEnable the system as authenticator.
switch
(config) # dot1x system-auth-controlConfigure RADIUS server parameters.
switch
(config) # dot1x radius-server host10.10
.10.10
key my4uth3nt1c4t10nk3y retransmit2
timeout3
Enter the configuration mode of an Ethernet interface.
switch
(config) #interface
ethernet1
/1
switch
(configinterface
ethernet1
/1
) #Configure the interface as a port access entity authenticator.
switch
(configinterface
ethernet1
/1
) # dot1x pae authenticatorConfigure the interface to perform authentication on ingress traffic.
switch
(configinterface
ethernet1
/1
) # dot1x port-control autoVerify 802.1x configuration.
switch
(configinterface
ethernet1
/1
) # show dot1x interfaces ethernet1
/1
Eth1/1
PAE Status: Enabled Configured host mode: Multi-host Configured port-control: Auto Authentication status: Unauthorized Re-Authentication: Disabled Re-Authentication period (sec): - Tx wait period (sec):30
Quiet period (sec):60
Max request retry:2
Last EAPOL RX source MAC:00
:00
:00
:00
:00
:00
protocol dot1x
protocol dot1x no protocol dot1x Enables 802.1x EAPOL protocol. The no form of the command disables 802.1x EAPOL protocol. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.4.2008 |
|
Example |
switch (config)# protocol dot1x |
|
Related Commands |
||
Notes |
dot1x clear-statistics
dot1x clear-statistics Resets the 802.1x counters on all or a specific port. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
config config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config)# dot1x clear-statistics |
|
Related Commands |
||
Notes |
dot1x pae authenticator
dot1x pae authenticator no dot1x pae authenticator Configures the port as a 802.1x port access entity (PAE) authenticator. The no form of the command disables the port from being a 802.1x PAE authenticator. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x system-auth-control |
|
Related Commands |
||
Notes |
dot1x host-mode
dot1x host-mode [multi-host | single-host] no dot1x host-mode Configures the authentication mode to either multi-host or single-host. The no form of the command resets the parameter to its default. |
||
Syntax Description |
multi-host |
Sets the interface to operate in a port-based mode |
single-host |
Sets the interface to operate in a MAC-based mode with support of a single supplicant per interface |
|
Default |
single-host |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
3.4.2300 |
Added “single-host” option |
|
Example |
switch (config interface ethernet 1/2)# dot1x host-mode single-host |
|
Related Commands |
||
Notes |
dot1x port-control
dot1x port-control [auto | force-authorized | force-unauthorized] no dot1x port-control Configures 802.1x port access entity (PAE) port-control. The no form of the command resets the parameter to its default. |
||
Syntax Description |
auto |
The authenticator uses PAE authentication services to allow or block the port traffic |
force-authorized |
Allows traffic on this port regardless of supplicant authorization |
|
force-unauthorized |
Blocks traffic on this port regardless of supplicant authorization |
|
Default |
Force-authorized |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x port-control auto |
|
Related Commands |
||
Notes |
dot1x radius-server host
dot1x radius-server host <IP address> [enable | auth-port <port> | key <password> | prompt-key | retransmit <retries> | timeout <seconds>] no dot1x radius-server host <IP address> enable Configure 802.1x RADIUS server IP address. The no form of the command disables 802.1x RADIUS server. |
||
Syntax Description |
auth-port |
Sets 802.1x RADIUS port to use with this server Range: 1-65535 |
enable |
Sets 802.1x RADIUS as administratively enabled |
|
key |
Configures 802.1x global RADIUS shared secret for servers |
|
prompt-key |
Prompts for key, rather than entering on command line |
|
retransmit |
Configure 802.1x global RADIUS retransmit count for servers Range: 0-5 seconds |
|
timeout |
Configures 802.1x global RADIUS timeout value for servers Range: 1-60 seconds |
|
Default |
auth-port: 1812 key: empty string retransmit: 1 timeout: 3 |
|
Configuration Mode |
config |
|
History |
3.4.2008 |
|
Example |
switch (config)# dot1x radius-server host 10.10.10.10 auth-port 65535 prompt-key enable |
|
Related Commands |
||
Notes |
|
dot1x reauthenticate
dot1x reauthenticate no dot1x reauthenticate Enables supplicant re-authentication according to the configuration of command dot1x timeout reauthentication. The no form of the command disables supplicant re-authentication. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x reauthenticate |
|
Related Commands |
||
Notes |
dot1x system-auth-control
dot1x system-auth-control no dot1x system-auth-control Enables the system as authenticator. The no form of the command disables the system as authenticator. |
||
Syntax Description |
N/A |
|
Default |
Disabled |
|
Configuration Mode |
config |
|
History |
3.4.2008 |
|
Example |
switch (config)# dot1x system-auth-control |
|
Related Commands |
||
Notes |
dot1x timeout reauthentication
dot1x timeout reauthentication <period> no dot1x timeout reauthentication Configures the number of seconds between re-authentication attempts. The no form of the command resets the parameter to its default. |
||
Syntax Description |
period |
Time in second Range: 1-65535 |
Default |
3600 seconds |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x timeout reauthentication 3600 |
|
Related Commands |
||
Notes |
dot1x timeout quiet-period
dot1x timeout quiet-period <period> no dot1x timeout quiet-period Configures the number of seconds that the authenticator remains quiet following a failed authentication exchange with the supplicant. The no form of the command resets the parameter to its default. |
||
Syntax Description |
period |
Time in second Range: 1-65535 |
Default |
60 seconds |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x timeout quiet-period 60 |
|
Related Commands |
||
Notes |
dot1x timeout tx-period
dot1x timeout tx-period <period> no dot1x timeout tx-period Configures the maximum number of seconds that the authenticator waits for supplicant response of EAP-request/identify frame before retransmitting the request. The no form of the command resets the parameter to its default. |
||
Syntax Description |
period |
Time in second Range: 1-65535 |
Default |
30 seconds |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x timeout quiet-period 30 |
|
Related Commands |
||
Notes |
dot1x max-req
dot1x max-req <retries> no dot1x max-req Configures the maximum amount of retries for the authenticator to communicate with the supplicant over EAP. The no form of the command resets the parameter to its default. |
||
Syntax Description |
retries |
The number of request retries Range: 1-10 |
Default |
2 |
|
Configuration Mode |
config interface ethernet |
|
History |
3.4.2008 |
|
Example |
switch (config interface ethernet 1/2)# dot1x max-req 2 |
|
Related Commands |
||
Notes |
show dot1x
show dot1x Displays 802.1x information on all interfaces. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2008 |
|
Example |
||
switch (config)# show dot1x |
||
Related Commands |
||
Notes |
show dot1x interfaces ethernet
show dot1x interfaces ethernet <slot>/<port> Displays 802.1x interface information. |
||
Syntax Description |
<slot>/<port> |
Ethernet interface |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2008 |
|
Example |
switch (config)# show dot1x interfaces ethernet 1/2 |
|
Related Commands |
||
Notes |
show dot1x interfaces ethernet statistics
show dot1x interfaces ethernet <slot>/<port> statistics Displays 802.1x interface information. |
||
Syntax Description |
<slot>/<port> |
Ethernet interface |
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2008 |
|
Example |
||
switch (config)# show dot1x interfaces ethernet 1/2 statistics Eth1/2 |
||
Related Commands |
||
Notes |
show dot1x radius
show dot1x radius Displays 802.1x RADIUS settings. |
||
Syntax Description |
N/A |
|
Default |
N/A |
|
Configuration Mode |
Any command mode |
|
History |
3.4.2008 |
|
Example |
switch (config)# show dot1x radius |
|
Related Commands |
||
Notes |