802.1X Port-Based Authentication

IEEE 802.1X Port-Based Authentication can be configured on network access devices (such us switches or wireless access points) in order to prevent unauthorized devices from gaining access to the network, even if they have physical access its support.

Prerequisites for Configuring IEEE 802.1X Port-Based Authentication:

  • Enable wired autoconfig service (on Windows):
  1. Click Start button and press Enter after typing services.msc
  2. Double click on service named: Wired AutoConfig
  3. Select the Startup Type: Automatic, Start the service and press OK
  4. Reboot your computer for the changes to take effect
  • Configure the LAN connection for 802.1X authentication:
  1. Right click on your network adapter and select Properties
  2. Click on the Authentication TAB and Check the Enable IEEE 802.1X authentication box
  3. Choose the network authentication method Microsoft: Protected EAP (PEAP)
  4. Click Settings for more details
  5. Unselect Validate server certificate
  6. Click Configure on Authentication method
  7. Unselect Automatically use my Windows logon name and password
  8. Click “OK” twice to return to the Local Area Connection Properties
  9. Click Additional Settings
  10. Select Specify authentication mode and specify User authentication
  • Ensure that Radius server is operational and already have users

Configuring IEEE 802.1X Port-Based Authentication :

Step1: Enable AAA and configure a Radius server using the oldest or the newest method

Sw1(config)# aaa new-model
Sw1(config)# radius-server host key YOUR-KEY auth-port 1812 acct-port 1813
Sw1(config)# radius server RAD-SRV
Sw1(config-radius-server)# address ipv4 auth-port 1812 acct-port 1813
Sw1(config-radius-server)# key YOUR-KEY

Step 2: Force dot1x authetication to use raduis server, and globaly enabled 802.1x port-based authentication

Sw1(config)# aaa authentication dot1x default group radius
Sw1(config)# dot1x system-auth-control

Step3: Set the PAE (Port Access Entity) type to Authenticator and Enable 802.1X authentication on required ports (using the oldest or the newest method)

Sw1(config-if)# dot1x pae authenticator
Sw1(config-if)# dot1x port-control auto
Sw1(config-if)# authentication port-control auto

Note: IEEE 802.1X protocol is not supported on ports in dynamic mode (either desirable or auto).

Useful link: 802.1X

no comment

    Add Your Comment