802.1X Port-Based Authentication

IEEE 802.1X Port-Based Authentication can be configured on network access devices (such us switches or wireless access points) in order to prevent unauthorized devices from gaining access to the network, even if they have physical access its support.

Prerequisites for Configuring IEEE 802.1X Port-Based Authentication:

  • Enable wired autoconfig service (on Windows):
  1. Click Start button and press Enter after typing services.msc
  2. Double click on service named: Wired AutoConfig
  3. Select the Startup Type: Automatic, Start the service and press OK
  4. Reboot your computer for the changes to take effect
  • Configure the LAN connection for 802.1X authentication:
  1. Right click on your network adapter and select Properties
  2. Click on the Authentication TAB and Check the Enable IEEE 802.1X authentication box
  3. Choose the network authentication method Microsoft: Protected EAP (PEAP)
  4. Click Settings for more details
  5. Unselect Validate server certificate
  6. Click Configure on Authentication method
  7. Unselect Automatically use my Windows logon name and password
  8. Click “OK” twice to return to the Local Area Connection Properties
  9. Click Additional Settings
  10. Select Specify authentication mode and specify User authentication
  • Ensure that Radius server is operational and already have users

Configuring IEEE 802.1X Port-Based Authentication :

Step1: Enable AAA and configure a Radius server using the oldest or the newest method

!
Sw1(config)# aaa new-model
Sw1(config)# radius-server host 172.16.254.1 key YOUR-KEY auth-port 1812 acct-port 1813
!
Sw1(config)# radius server RAD-SRV
Sw1(config-radius-server)# address ipv4 172.16.254.1 auth-port 1812 acct-port 1813
Sw1(config-radius-server)# key YOUR-KEY
!

Step 2: Force dot1x authetication to use raduis server, and globaly enabled 802.1x port-based authentication

!
Sw1(config)# aaa authentication dot1x default group radius
Sw1(config)# dot1x system-auth-control
!

Step3: Set the PAE (Port Access Entity) type to Authenticator and Enable 802.1X authentication on required ports (using the oldest or the newest method)

!
Sw1(config-if)# dot1x pae authenticator
!
Sw1(config-if)# dot1x port-control auto
Sw1(config-if)# authentication port-control auto
!

Note: IEEE 802.1X protocol is not supported on ports in dynamic mode (either desirable or auto).

Useful link: 802.1X


no comment


    Add Your Comment