1. IEEE 802.1X
Port Based Authentication
AT - 8000S
Marvell Confidential
2. Agenda
• 802.1x Overview
System roles
What is EAP
Authentication Initiation
Message Exchange
Port states
Enhanced features
Operating system support
• AT - 8000S implementation
Functional description
User controls
User guidelines
Enhanced features
Control and status parameters
• CLI Configuration
• 802.1x - Configuration Example
Marvell Confidential
4. 802.1x Overview
• Standard set by the IEEE 802.1 working group—approved in
December 2001
• Designed to address and provide port-based access control
using authentication.
• Describes a standard link layer protocol used for
transporting higher-level authentication protocols (i.e. EAP)
• The authentication server authenticates the clients
connected to a switch port before making available any
services offered by the switch or the LAN.
Marvell Confidential
5. 802.1x Overview (Cont.)
• Until the client is authenticated, 802.1X access control
allows only Extensible Authentication Protocol over LAN
(EAPOL) traffic through the port to which the client is
connected.
• After authentication is successful, regular traffic can pass
through the port.
Marvell Confidential
6. System Roles
Authentication
Server
(RADIUS)
Workstations
(clients)
Switch/Router
(AT - 8000S)
•Devices that are attach to a LAN, are referred to as systems.
•A device or a device port is able to adopt one of the roles
within an access control interaction:
•Switch (Authenticator Or back-end authenticator)
•Client (Supplicant)
•Authentication Server
Marvell Confidential
7. The Switch - Authenticator
• Controls the physical access to the network based on the
authentication status of the client.
• The switch acts as intermediary between the client and the
authentication server, requesting identity information from
the client, verifying the information with the authentication
server, and relaying the server’s response to the client.
• The switch acts as a RADIUS client, which is responsible
for encapsulating/de-encapsulating the EAP (Extensible
Authentication Protocol) frames and interacting with the
authentication server.
• When the switch receives EAP Over LAN (EAPOL) frames
and relays them to the authentication server, the Ethernet
header is stripped and the remaining EAP frame is re-
encapsulated in the RADIUS format.
Marvell Confidential
8. The Switch – Authenticator (Cont.)
• The EAP frames are not modified or examined during
encapsulation, and the authentication server must support
EAP within the native frame format.
• When the switch receives frames from the authentication
server, the server’s frame header is removed, leaving the
EAP frame, which is then encapsulated for Ethernet and
sent to the client.
• The devices that can act intermediaries must run software
that supports both the RADIUS client and 802.1X.
Marvell Confidential
9. The Client (Supplicant)
• The device that requests access to the LAN/switch services
and responds to requests from the switch.
• It must be running 802.1x client software.
Marvell Confidential
10. The Authentication Server
• Performs the actual authentication of the client.
• The authentication server validates the identity of the client
and notifies the switch whether or not the client is
authorized to access the LAN and switch services.
• Because the switch acts as the intermediate, the
authentication service is transparent to the client.
• RADIUS operates in a client/server model in which secure
authentication information is exchanged between the
RADIUS server and one or more RADIUS clients.
Marvell Confidential
11. A closer look at the process
Login Req.
Send Credentials Forward Credentials to the server
Accept Authentication Successful
Policy Instructions
Actual Authentication is between Client and the Server using
EAP; The switch is just the middleman, but is aware of what’s
going on
802.1x RADIUS
Marvell Confidential
12. What Is EAP ?
• EAP—The Extensible Authentication Protocol
• A flexible protocol used to carry arbitrary authentication
information
• Typically rides on top of another protocol Such as 802.1x or
RADIUS (could be TACACS+, etc.)
• Specified in RFC 2284
Marvell Confidential
13. 802.1x EAP
Ethernet Header 802.1x Header EAP Payload
• Transports authentication information in the form of
Extensible Authentication Protocol (EAP) payloads.
• The authenticator (switch) becomes the middleman for
relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry the EAP
information
• Three forms of EAP:
– EAP-MD5—MD5 Hashed Username/Password
– EAP-OTP—One-Time Passwords
– EAP-TLS—Strong PKI Authenticated Transport Layer
Security (SSL)
Marvell Confidential
14. EAPOL (EAP over 802.1x) Frame
Format
0 6 12 14 15 16
Destination MAC Source MAC Ether Type Version Type
Length Body …
18 n
Authenticator to Supplicant
Destination MAC: 01-80-C2-00-00-03
Source MAC: Unicast Authenticator MAC
Supplicant to Authenticator
Destination MAC: 01-80-C2-00-00-03
Source MAC: Unicast Supplicant MAC
Marvell Confidential
15. EAPOL Frame Types
• EAPOL-Start: The frame is an EAPOL-start frame.
• EAPOL-Logoff: The frame is an explicit EAPOL-logoff
request frame.
• EAP-Packet: The frame carries an EAP packet
– see 4 code types in previous slide.
• EAPOL-Key: The frame is an EAPOL-Key frame.
• EAPOL-Encapsulated-ASF-Alert: The frame carries an
EAPOL-Encapsulated ASF Alert.
Marvell Confidential
16. EAP Header Format
• Initially developed for PPP Authentication
• Code: Request, Response, Success, or Failure
• Identifier is used to match responses with requests
• Format of the data field depends on the code field
Marvell Confidential
17. Authentication Initiation
• The switch or the client can initiate authentication.
• If you enable authentication on a port, the switch must
initiate authentication when it determines that the port link
state transitions from down to up.
• The switch then sends an EAP-request/identity frame to the
client to request its identity (typically, the switch sends an
initial identity/request frame followed by one or more
requests for authentication information).
• Upon receipt of the frame, the client responds with an EAP-
response/identity frame.
Marvell Confidential
18. Authentication Initiation (Cont.)
• If during client boot-up, the client does not receive an EAP-
request/identity frame from the switch, the client can initiate
authentication by sending an EAPOL-start frame, which
prompts the switch to request the client’s identity.
• If 802.1X is not enabled or supported on the network access
device, EAPOL frames from the client are dropped.
• If the client does not receive an EAP-request/identity frame
after three attempts, the client sends traffic as if the port is
in the authorized state.
• A port in the authorized state effectively means that the
client has been successfully authenticated.
Marvell Confidential
19. Message Exchange
• When the client supplies its identity, the switch begins its
role as the intermediary, passing EAP frames between the
client and the authentication server until authentication
succeeds or fails.
• If the authentication succeeds, the switch port becomes
authorized.
• The specific exchange of EAP frames depends on the
authentication method being used.
Marvell Confidential
20. Message Exchange ( Cont.)
• Generally the message exchange look like this:
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/challenge
EAP-Response/challenge(password)
EAP-Success/failure
Port authorized/not authorized
EAPOL-Logoff
Port not authorized
Marvell Confidential
21. Port States
• The switch port state determines whether or not the client
is granted access to the network.
• The port starts in the unauthorized state. While in
this state, the port disallows all ingress and egress traffic
except for 802.1X protocol packets.
• When a client is successfully authenticated, the port
transitions to the authorized state, allowing all traffic
to/from the client to pass normally.
• If the authentication fails, the port remains in the
unauthorized state, but authentication can be retried.
Marvell Confidential
22. Port States (Cont.)
• If the authentication server cannot be reached, the switch
can resend the request. If no response is received from the
server after the specified number of attempts,
authentication fails, and network access is not granted.
• When a client logs off, it sends an EAPOL-logoff message,
causing the switch port to transition to the unauthorized
state.
• If the link state of a port transitions from up to down, the
port returns to the unauthorized state.
Marvell Confidential
23. 802.1X Un-supported
• If a client that does not support 802.1X is connected to an
unauthorized 802.1X port, the switch requests the client’s
identity. In this situation, the client does not respond to the
request, the port remains in the unauthorized state, and the
client is not granted access to the network.
• When an 802.1X- enabled client connects to a port that is
not running the 802.1X protocol, the client initiates the
authentication process by sending the EAPOL-start frame.
When no response is received, the client sends the request
for a fixed number of times. When no response is received,
the client begins sending frames as if the port is in the
authorized state.
Marvell Confidential
24. Enhanced Features
• Single-host/Multiple-hosts
• Guest VLAN
• Unauthenticated VLANs
• User based VLAN
Marvell Confidential
25. Single-host / Multiple-hosts
Single host
• Enables only the first host that has been authorized to get access
to the port.
• Filtering is based on the source MAC address.
Multiple hosts
• This is the per standard mode
• Enables multiple hosts to be attached to a single 802.1x port.
• Only one of the attached hosts must be authorized for all the
hosts to be granted network access.
• If the port Transits to unauthorized, all the attached client are
denied access to the network.
Marvell Confidential
26. Guest VLAN
• An option to provide limited network access to an
unauthorized port
• Typical applications:
– Management traffic to an unauthorized stations.
– Provide guest access to the Internet.
• One of the VLANs in the switch would be the “guest VLAN“.
• The “guest VLAN“ would be the “untagged” VLAN of ports
in the unauthorized state.
• Guest VLAN is defined dynamically on an unauthenticated
port
Marvell Confidential
27. Unauthenticated VLANs
• VLANs in the switch which are always available to the
users, even if the port is unauthorized, for the use of some
applications like IP telephony.
• Those VLANs are defined as “Unauthenticated” VLANs.
Marvell Confidential
28. 802.1x un-authenticated VLAN/ Guest
VLAN differences
Port mode un-authenticated VLAN Guest VLAN
Forced / Auto Whenever port mode changes Whenever port mode changes
Authorized to authorized, the port remains to authorized, the port is
on the un-authenticated VLAN removed from the guest VLAN
and behaves according to and behaves according to
dot1Q settings dot1Q settings
Auto/Forced Whenever port mode changes Whenever port mode changed
Unauthorized to unauthorized, the port to unauthorized, its VLAN
remains on the un- membership and PVID will be
authenticated VLAN and will overridden by the the guest
forward only tagged traffic VLAN settings, which will take
towards the unauthenticated affect instead..
VLAN
Marvell Confidential
29. User based VLAN
• 802.1x ports are assigned to a VLAN based on the
username of the client connected to that port.
• The Authentication server database maintains the
username-to-VLAN mappings.
• After successful authentication of the port, the
Authentication server sends the VLAN assignment to the
Authenticator.
Marvell Confidential
30. Operating System Support
• Windows XP— shipped with support.
• Windows 2000— available with SP3 + Hotfix or SP4.
• Windows NT/98/Me—limited availability or 3rd party
(MeetingHouse).
• Linux—open source http://www.open1x.org
• Solaris—3rd party via MeetingHouse Communications
http://www.mtghouse.com
Marvell Confidential
31. IEEE 802.1x
Implementation
AT - 8000S
Marvell Confidential
32. Functional Description
• The system implements 802.1x Port Based Authentication
as per the standard, In addition to enhanced features
described on the next slides
• The authentication server authenticates each client
connected to a switch port before any communication
(except EAPOL traffic) can take place.
• Authentication is performed using AAA services – such as
RADIUS
• The status of the controlled port is a function of the
communication between the authentication server and the
supplicant.
Marvell Confidential
33. Functional Description (Cont.)
• The port status can be modified by the user.
• Any access to the LAN is subject to the status of the port.
• An uncontrolled port (always authorized) is used to
communicate with the authentication (RADIUS) server
using EAP.
Marvell Confidential
34. AT - 8000S– 802.1X User Controls
• Enable 802.1x on the system.
• Specify how often client authentication occurs.
• Control the port authorization state, or allow it to be set
automatically (force-authorized, force-unauthorized, auto).
• View 802.1x statistics.
• Trigger manual re-authentication.
• Adjust quiet period.
• Reset each value to the default.
Marvell Confidential
35. AT - 8000S – 802.1X User Controls
Enhanced Features
• Enable Single-host / Multiple-hosts on an interface
• Un-authenticated VLANs
– Define a VLAN as an as “Unauthenticated” VLAN
• Guest VLAN
– Define a VLAN as a “guest VLAN”
– Enable guest VLAN on an interface
– Guest VLAN cannot be an un-authenticated VLAN and cannot
be the default VLAN
Marvell Confidential
36. AT - 8000S 802.1x - User Guidelines
• AAA services must be enabled in order for 802.1x to work.
• In a shared medium environment, a designated host will be
the authenticated device. As long as it is authorized, all
hosts will be granted access to the network. When it
becomes unauthorized, all hosts will be denied access.
• 802.1x cannot be defined on:
– a LAG.
– a port which is a member of a LAG.
– A port that is configured with 802.1x cannot be added to a
LAG.
• If 802.1x is not enabled or supported on the device, the host
will send frames as if the port is in the authorized state,
meaning that the host has effectively been authenticated.
Marvell Confidential
37. Control and Status parameters
Port status:
• Authorized - The client has full access to the port.
• Unauthorized - The client has limited access to the port.
Marvell Confidential
38. Control and Status parameters (Cont.)
Port administrative control:
• ForceAuthorized - The port is Authorized
unconditionally. In this state clients are not required to be
authenticated.
This state is the default.
• ForceUnauthorized - The port is Unauthorized. clients
can’t log on.
• Auto - clients are required to authenticate. After
successful authentication, the port will be authorized,
otherwise the port would be Unauthorized.
Marvell Confidential
39. IEEE 802.1x
CLI Configuration
AT - 8000S
Marvell Confidential
40. Enable 802.1x on the Device
• Use The following Global Configuration command to enable
Port-Based Network Access Control on the device:
dot1x system-auth-control
• To disable the Port-Based Network Access Control on the
device, use:
no dot1x system-auth-control
console(config)# dot1x system-auth-control
Marvell Confidential
41. Configuring the AAA methods
• Use the following Global Configuration command to specify one or more
AAA methods for use when running IEEE 802.1x :
aaa authentication dot1x default method1 [method2]
method:
Radius –radius server for authentication.
None – no authentication needed.
• To remove use: no aaa authentication dot1x default command.
console (config)# aaa authentication dot1x default none
Marvell Confidential
42. Unauthorized VLAN
• Use the following VLAN interface configuration command to
enable unauthorized users access to that VLAN:
dot1x auth-not-req
console(config)# interface vlan 10
console (config-if)# dot1x auth-not-req
• To disable the access use:
no dot1x auth-not-req
Marvell Confidential
43. Manual Authorization State
• Use the following Interface Configuration command to
define the authorization state of the port: Use the “no” form
of this command to return to the default setting (force
authorized):
dot1x port-control {auto | force-authorized | force-
unauthorized}
console(config)# interface ethernet 1/e1
console (config-if)# dot1x port-control auto
Marvell Confidential
44. Allowing Multiple Hosts
• Use the following Interface Configuration command to allow
multiple hosts (clients) on an 802.1X (auto) authorized port:
dot1x multiple-hosts
console(config)# interface ethernet 1/e1
console (config-if)# dot1x multiple-hosts
• To return to the default Use the no form of this command.
• By default multiple hosts are disabled.
• If Multiple-host is enabled, and a certain host is authorized
– all other host on interface are also authorized
Marvell Confidential
45. Violation Action
• Use the following Interface Configuration to configure the
action to be taken, when a station whose MAC address is
not the supplicant MAC address, attempts to access the
interface:
dot1x single-host-violation {forward | discard | discard-
shutdown} [trap seconds]
• The default is discarding with source address not the
supplicant address. No traps sent.
Marvell Confidential
46. Violation Action (Cont.)
• To return to default use:
no port dot1x single-host-violation
• Example:
console(config)# interface ethernet 1/e1
console (config-if)# dot1x single-host-violation forward trap 100
Marvell Confidential
47. 802.1x - Guest VLAN Commands
• Use the following Interface VLAN mode command to define a
dot1x guest VLAN. Use the “no” form of command to return
to default configuration:
dot1x guest-vlan
No dot1x guest-vlan
• Use the following Interface Ethernet mode command to
enable dot1x guest VLAN on a port. Use the “no” form of
command to disable guest VLAN (default):
dot1x guest-vlan enable
No dot1x guest-vlan enable
Marvell Confidential
49. 802.1x - Guest VLAN Example
console# show dot1x advanced ethernet 1/e10
Guest VLAN: 10
Unauthenticated VLANs:
Interface Multiple Hosts Guest VLAN
--------- -------------- ----------
1/g10 Disabled Enabled
Single host parameters
Violation action: Discard
Trap: Disabled
Trap frequency: 10
Status: Not in auto mode
Violations since last trap: 0
Marvell Confidential
50. 802.1x - Guest VLAN Example
console# show vlan
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
1 1 e(2-9,11-48),g(1-4),ch(1-8) other Required
10 10 permanent Not Required
11 11 e10 permanent Guest
Marvell Confidential
51. Quiet State Time
• Use the following Interface Configuration command to set
the number of seconds that the switch remains in the quiet
state following a failed authentication exchange (for
example, the client provided an invalid password).
dot1x timeout quiet-period seconds
• quiet state – no authentication is granted during this period.
• To return to the default use:
no dot1x timeout quiet-period
Marvell Confidential
52. Quiet State Time (Cont.)
• During the quiet period, the switch does not accept or
initiate any authentication requests.
• The default value of this command should only be changed
to adjust for unusual circumstances, such as unreliable
links or specific behavioral problems with certain clients
and authentication servers.
• If it is necessary to provide a faster response time to the
user, a smaller number than the default should be entered.
console (config-if)# dot1x timeout quiet-period 3600
Marvell Confidential
53. EAP Response Time
• Use the following Interface Configuration command to set
the number of seconds that the switch waits for a response
to an EAP - request/identity frame, from the client, before
resending the request for the first time:
dot1x timeout tx-period seconds
• To return to the default use:
no dot1x timeout tx-period
console (config-if)# dot1x timeout tx-period 3600
Marvell Confidential
54. EAP Retransmission Time
• Use the following Interface Configuration command to set
the time for the retransmission of an Extensible
Authentication Protocol (EAP)-request frame to the client:
dot1x timeout supp-timeout seconds
• To return to the default setting use:
no dot1x timeout supp-timeout
console (config)# dot1x timeout supp-timeout 3600
Marvell Confidential
55. Maximum Requests
• Use The following Interface Configuration command to set
the maximum number of times that the switch sends an
EAP - request/identity frame to the client, before restarting
the authentication process:
dot1x max-req count
console (config-if)# dot1x max-req 6
• To return to the default setting use:
no dot1x max-req
• Count – Range: 1 - 10 The default count is 2.
• This mechanism acts as a verification that port should stay
in authorized state. If no responses are received port goes
into an unauthorized state
Marvell Confidential
56. Periodic re-authentication
• Use the following Interface Configuration command to
enable periodic re-authentication of the client.
dot1x re-authentication
• To return to the default setting use
no dot1x re-authentication.
console (config-if)# dot1x re-authentication
Marvell Confidential
57. Re-Authentication Period
• Use the following Interface Configuration commands to set
the number of seconds between re-authentication attempts:
dot1x timeout re-authperiod seconds
console (config-if)# dot1x timeout re-authperiod 3600
• To return to the default setting use :
no dot1x timeout re-authperiod
Marvell Confidential
58. Initiating Re-authentication
• Use the following privileged EXEC command to manually
initiate an instant re-authentication of all 802.1X-enabled
ports or the specified 802.1X-enabled port.
dot1x re-authenticate [ethernet interface]
console# dot1x re-authenticate ethernet 1/e8
Marvell Confidential
59. Server Timeout
• Use the following Interface Configuration command to set
the time for the retransmission of packet to the
authentication server:
dot1x timeout server-timeout seconds
console (config-if)# dot1x timeout server-timeout 300
• To return to the default use:
no dot1x timeout server-timeout
Marvell Confidential
60. Dot1x - Show Commands
• show dot1x [ethernet interface] - displays 802.1X status for
the switch or for the specified interface.
• show dot1x advanced [ethernet interface] - displays 802.1X
advanced features for the switch or for the specified
interface.
• show dot1x users [username username] - displays the 802.1X
users for the switch.
• show dot1x statistics ethernet interface - displays 802.1X
statistics for the specified interface.
Marvell Confidential
61. IEEE 802.1x
Configuration Example
Marvell Confidential
62. AT - 8000S Configuration
console(config)# interface ethernet g2
console(config-if)# ip address 15.1.1.1 /24
console(config-if)# exit
console(config)# dot1x system-auth-control
console(config)# aaa authentication dot1x default radius
console(config)# radius-server host 15.1.1.2 key mafteach usage
dot1.x
console(config)# interface ethernet g1
console(config-if)# dot1x port-control auto
01-Jan-2000 01:09:58 %SEC-W-PORTUNAUTHORIZED: Port g1 is
unAuthorized
01-Jan-2000 01:09:58 %LINK-W-Down: Vlan 1
console(config-if)#
Note: “usage dot1x” parameter must be used when
defining Radius server for dot1x configuration
Marvell Confidential