802.1x on Cisco switches - single host mode with Guest and Restrictive vlan


Tested  with IOS 12.2.(50) on 3560 and 3750 switches

  • Enable 802.1x globally

dot1x system-auth-control

 

  • create radius group for 802.1x authentication

 

(config)#aaa new-model
(config)#aaa group server radius 802_1X
(config-sg-radius)#server 1.1.1.1
(config-sg-radius)#server 1.1.1.2


Define radius servers and key

 

(config)#radius-server host 1.1.1.1
(config)#radius-server host 1.1.1.2
(config)#radius-server key secret_key

 

  • Enable authentication method for 802.1x


(config)#aaa authentication dot1x default group 802_1X

 

  • Enable 802.1x. on port


(config)#interface fa0/1
(config-if)#switchport mode access
(config-if)#switchport access vlan 2
(config-if)#authentication port-control auto

 

  • Set interface type


(config-if)#dot1x pae authenticator

 

  • Set control type


(config-if)#authentication control-direction both

 

  • Set portfast


(config-if)#spanning-tree portfast


Remeber to set globall bpduguard for portfast!!!


(config)#spanning-tree portfast bpduguard default

 

  • Set host mode

(config-if)#authentication host-mode single-host

 

  • Set authentication violation mode


(config-if)#authentication violation shutdown

 

  • Enable re-authentication and set timer


(config-if)#authentication periodic
(config-if)#authentication timer reauthenticate 32400

 

  • Set number of seconds switch is waiting for a response to an EAP-request/identity frame from the client before resending the request


(config-if)#dot1x timeout tx-period 4


Default is 5 secs

 

  • Set number of seconds that the switch remains in the quiet state after a failed auhtnetication exchange with the client


(config-if)#dot1x timeout quiet-period 30


Default is 60 secs
Be carefull with this timer in AD domain

 

  • Set number of seconds that the switch is waiting for reponse from authentication server


(config-if)#dot1x timeout server-timeout 15


Default is 30 secs
Combain it with even action(see Restrictive vlan section)


GUEST Vlan

 

  • Enable guest vlan globally

(config)#dot1x guest-vlan supplicant

 

  • Enable action to move user to guest vlan

(config-if)#authentication event no-response action authorize vlan 12


In guest vlan any attempt for EAP-start will change port state to UNAUTHORIZE and begin again authentication procedure



RESTRICTIVE Vlan(only single-host mode)

 

  • Enable action to move user to restrictive vlan

(config-if)#authentication event fail action authorize vlan 10


Default is 3 attempts, you can change this between 0-5

 

  • Enable action to move user to restrictive vlan in case of no response from Radius server

(config-if)#authentication event server dead action authorize vlan 10



Troubleshooting

 

  • #show dot1x all summary


Display authentication status on ports


Fa0/1 AUTH 0001.8ba4.3cb1 AUTHORIZED
Fa0/2 AUTH none UNAUTHORIZED

 

 

  • #show dot1x all count


Display 802.1x sessions,e.g.


Authorized Clients = 1
UnAuthorized Clients = 0
Total No of Client = 1

 

  • #show dot1x all details


Display 802.1x information in details

Sysauthcontrol Enabled
Dot1x Protocol Version 2
Dot1x Info for FastEthernet0/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 30
ServerTimeout = 15
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 4
Dot1x Authenticator Client List
-------------------------------
Supplicant = 0001.8ba4.3cb1
Session ID = 9579E7CD0000001D059A1AA3
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Dot1x Info for FastEthernet0/2
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30

Dot1x Authenticator Client List Empty

Port Status = UNAUTHORIZED



  • #show dot1x all statistics


Dispay all 802.1x stats

 

  • #show dot1x interface fastEthernet 0/1


Dispay all 802.1x information on interface Fa0/1


Usefull commands

 

  • #dot1x re-authenticate interface fastEthernet 0/1


Forcing reauthentication client on port fa0/1

 

  • #dot1x test eapol-capable interface fastethernet 0/1

Checking if client on port is EAP capable

 

dzbanek 2011-06-04

 

 

 

 

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.