Tuesday, November 16, 2010

Dot1x Port Based Authentication

The most known authentication for clients to the network uses port security. There is another more advanced way of authentication using dot1x authentication which is based on the IEEE 802.1x standard.

A major difference in this authentication method is that both the client/supplicant and the authenticator must be configured to handle dot1x authentication. The Authentication server must use the RADIUS/DIAMETER protocol and can not use TACACS/TACACS+ protocol. The command for activating dot1x on the switch is dot1x system-auth-control” in the global configuration mode.

Before the client is authenticated to the network, it can only run 3 protocols which are Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP) and EAPOL (EAP over LAN). EAPOL is used to provide EAP authentication between the client and the switch, where after that the switch will forward the authentication to the RADIUS using EAP and wait for orders from the RADIUS what to do with its client. After it is authenticated, the client can run other protocols.

The next step is to configure the port for dot1x authentication. The port can have 3 types of authorization:

1. Force-authorized which will force the port to authorize all clients attempting the switch through that port. This means that there is actually no authorization at all, and is the default mode.

2. Force-unauthorized which will force the port not to authorize every client attempting to authenticate on that port.

3. Auto which will enable dot1x on the port and initially blocks the client from doing any activity besides EAPOL authentication. After the authentication is completed, then the service is given to the client.

The command on the switch’s port is as follow:

“(config-if)#dot1x port-control [auto | force-authorized | force-unauthorized]”
 
The client has to be configured too. For windows the configuration can be set via Startà Control Panel à Network Connections and then Check the “Enable IEEE 802.1x” checkbox and set the EAP type to MD5.
 
 
As a summary, dot1x configuration needs to be done on the switch, switch port, and the client. It can also be only used with RADIUS/DIAMETER protocols.

No comments:

Post a Comment