SlideShare a Scribd company logo

At8000 s configurando_8021x

NetPlus
NetPlus
Technology
1 of 75
Download to read offline
IEEE 802.1X Port Based Authentication AT - 8000S Marvell Confidential
Agenda • 802.1x Overview System roles What is EAP Authentication Initiation Message Exchange Port states Enhanced features Operating system support • AT - 8000S implementation Functional description User controls User guidelines Enhanced features Control and status parameters • CLI Configuration • 802.1x - Configuration Example Marvell Confidential
IEEE 802.1x Feature Overview Marvell Confidential
802.1x Overview • Standard set by the IEEE 802.1 working group—approved in December 2001 • Designed to address and provide port-based access control using authentication. • Describes a standard link layer protocol used for transporting higher-level authentication protocols (i.e. EAP) • The authentication server authenticates the clients connected to a switch port before making available any services offered by the switch or the LAN. Marvell Confidential
802.1x Overview (Cont.) • Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. • After authentication is successful, regular traffic can pass through the port. Marvell Confidential
System Roles Authentication Server (RADIUS) Workstations (clients) Switch/Router (AT - 8000S) •Devices that are attach to a LAN, are referred to as systems. •A device or a device port is able to adopt one of the roles within an access control interaction: •Switch (Authenticator Or back-end authenticator) •Client (Supplicant) •Authentication Server Marvell Confidential
The Switch - Authenticator • Controls the physical access to the network based on the authentication status of the client. • The switch acts as intermediary between the client and the authentication server, requesting identity information from the client, verifying the information with the authentication server, and relaying the server’s response to the client. • The switch acts as a RADIUS client, which is responsible for encapsulating/de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server. • When the switch receives EAP Over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re- encapsulated in the RADIUS format. Marvell Confidential
The Switch – Authenticator (Cont.) • The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. • When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. • The devices that can act intermediaries must run software that supports both the RADIUS client and 802.1X. Marvell Confidential
The Client (Supplicant) • The device that requests access to the LAN/switch services and responds to requests from the switch. • It must be running 802.1x client software. Marvell Confidential
The Authentication Server • Performs the actual authentication of the client. • The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. • Because the switch acts as the intermediate, the authentication service is transparent to the client. • RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. Marvell Confidential
A closer look at the process Login Req. Send Credentials Forward Credentials to the server Accept Authentication Successful Policy Instructions Actual Authentication is between Client and the Server using EAP; The switch is just the middleman, but is aware of what’s going on 802.1x RADIUS Marvell Confidential
What Is EAP ? • EAP—The Extensible Authentication Protocol • A flexible protocol used to carry arbitrary authentication information • Typically rides on top of another protocol Such as 802.1x or RADIUS (could be TACACS+, etc.) • Specified in RFC 2284 Marvell Confidential
802.1x EAP Ethernet Header 802.1x Header EAP Payload • Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads. • The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information • Three forms of EAP: – EAP-MD5—MD5 Hashed Username/Password – EAP-OTP—One-Time Passwords – EAP-TLS—Strong PKI Authenticated Transport Layer Security (SSL) Marvell Confidential
EAPOL (EAP over 802.1x) Frame Format 0 6 12 14 15 16 Destination MAC Source MAC Ether Type Version Type Length Body … 18 n Authenticator to Supplicant Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Authenticator MAC Supplicant to Authenticator Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Supplicant MAC Marvell Confidential
EAPOL Frame Types • EAPOL-Start: The frame is an EAPOL-start frame. • EAPOL-Logoff: The frame is an explicit EAPOL-logoff request frame. • EAP-Packet: The frame carries an EAP packet – see 4 code types in previous slide. • EAPOL-Key: The frame is an EAPOL-Key frame. • EAPOL-Encapsulated-ASF-Alert: The frame carries an EAPOL-Encapsulated ASF Alert. Marvell Confidential
EAP Header Format • Initially developed for PPP Authentication • Code: Request, Response, Success, or Failure • Identifier is used to match responses with requests • Format of the data field depends on the code field Marvell Confidential
Authentication Initiation • The switch or the client can initiate authentication. • If you enable authentication on a port, the switch must initiate authentication when it determines that the port link state transitions from down to up. • The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). • Upon receipt of the frame, the client responds with an EAP- response/identity frame. Marvell Confidential
Authentication Initiation (Cont.) • If during client boot-up, the client does not receive an EAP- request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client’s identity. • If 802.1X is not enabled or supported on the network access device, EAPOL frames from the client are dropped. • If the client does not receive an EAP-request/identity frame after three attempts, the client sends traffic as if the port is in the authorized state. • A port in the authorized state effectively means that the client has been successfully authenticated. Marvell Confidential
Message Exchange • When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails. • If the authentication succeeds, the switch port becomes authorized. • The specific exchange of EAP frames depends on the authentication method being used. Marvell Confidential
Message Exchange ( Cont.) • Generally the message exchange look like this: EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/challenge EAP-Response/challenge(password) EAP-Success/failure Port authorized/not authorized EAPOL-Logoff Port not authorized Marvell Confidential
Port States • The switch port state determines whether or not the client is granted access to the network. • The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. • When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic to/from the client to pass normally. • If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. Marvell Confidential
Port States (Cont.) • If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted. • When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state. • If the link state of a port transitions from up to down, the port returns to the unauthorized state. Marvell Confidential
802.1X Un-supported • If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network. • When an 802.1X- enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. When no response is received, the client begins sending frames as if the port is in the authorized state. Marvell Confidential
Enhanced Features • Single-host/Multiple-hosts • Guest VLAN • Unauthenticated VLANs • User based VLAN Marvell Confidential
Single-host / Multiple-hosts Single host • Enables only the first host that has been authorized to get access to the port. • Filtering is based on the source MAC address. Multiple hosts • This is the per standard mode • Enables multiple hosts to be attached to a single 802.1x port. • Only one of the attached hosts must be authorized for all the hosts to be granted network access. • If the port Transits to unauthorized, all the attached client are denied access to the network. Marvell Confidential
Guest VLAN • An option to provide limited network access to an unauthorized port • Typical applications: – Management traffic to an unauthorized stations. – Provide guest access to the Internet. • One of the VLANs in the switch would be the “guest VLAN“. • The “guest VLAN“ would be the “untagged” VLAN of ports in the unauthorized state. • Guest VLAN is defined dynamically on an unauthenticated port Marvell Confidential
Unauthenticated VLANs • VLANs in the switch which are always available to the users, even if the port is unauthorized, for the use of some applications like IP telephony. • Those VLANs are defined as “Unauthenticated” VLANs. Marvell Confidential
802.1x un-authenticated VLAN/ Guest VLAN differences Port mode un-authenticated VLAN Guest VLAN Forced / Auto Whenever port mode changes Whenever port mode changes Authorized to authorized, the port remains to authorized, the port is on the un-authenticated VLAN removed from the guest VLAN and behaves according to and behaves according to dot1Q settings dot1Q settings Auto/Forced Whenever port mode changes Whenever port mode changed Unauthorized to unauthorized, the port to unauthorized, its VLAN remains on the un- membership and PVID will be authenticated VLAN and will overridden by the the guest forward only tagged traffic VLAN settings, which will take towards the unauthenticated affect instead.. VLAN Marvell Confidential
User based VLAN • 802.1x ports are assigned to a VLAN based on the username of the client connected to that port. • The Authentication server database maintains the username-to-VLAN mappings. • After successful authentication of the port, the Authentication server sends the VLAN assignment to the Authenticator. Marvell Confidential
Operating System Support • Windows XP— shipped with support. • Windows 2000— available with SP3 + Hotfix or SP4. • Windows NT/98/Me—limited availability or 3rd party (MeetingHouse). • Linux—open source http://www.open1x.org • Solaris—3rd party via MeetingHouse Communications http://www.mtghouse.com Marvell Confidential
IEEE 802.1x Implementation AT - 8000S Marvell Confidential
Functional Description • The system implements 802.1x Port Based Authentication as per the standard, In addition to enhanced features described on the next slides • The authentication server authenticates each client connected to a switch port before any communication (except EAPOL traffic) can take place. • Authentication is performed using AAA services – such as RADIUS • The status of the controlled port is a function of the communication between the authentication server and the supplicant. Marvell Confidential
Functional Description (Cont.) • The port status can be modified by the user. • Any access to the LAN is subject to the status of the port. • An uncontrolled port (always authorized) is used to communicate with the authentication (RADIUS) server using EAP. Marvell Confidential
AT - 8000S– 802.1X User Controls • Enable 802.1x on the system. • Specify how often client authentication occurs. • Control the port authorization state, or allow it to be set automatically (force-authorized, force-unauthorized, auto). • View 802.1x statistics. • Trigger manual re-authentication. • Adjust quiet period. • Reset each value to the default. Marvell Confidential
AT - 8000S – 802.1X User Controls Enhanced Features • Enable Single-host / Multiple-hosts on an interface • Un-authenticated VLANs – Define a VLAN as an as “Unauthenticated” VLAN • Guest VLAN – Define a VLAN as a “guest VLAN” – Enable guest VLAN on an interface – Guest VLAN cannot be an un-authenticated VLAN and cannot be the default VLAN Marvell Confidential
AT - 8000S 802.1x - User Guidelines • AAA services must be enabled in order for 802.1x to work. • In a shared medium environment, a designated host will be the authenticated device. As long as it is authorized, all hosts will be granted access to the network. When it becomes unauthorized, all hosts will be denied access. • 802.1x cannot be defined on: – a LAG. – a port which is a member of a LAG. – A port that is configured with 802.1x cannot be added to a LAG. • If 802.1x is not enabled or supported on the device, the host will send frames as if the port is in the authorized state, meaning that the host has effectively been authenticated. Marvell Confidential
Control and Status parameters Port status: • Authorized - The client has full access to the port. • Unauthorized - The client has limited access to the port. Marvell Confidential
Control and Status parameters (Cont.) Port administrative control: • ForceAuthorized - The port is Authorized unconditionally. In this state clients are not required to be authenticated. This state is the default. • ForceUnauthorized - The port is Unauthorized. clients can’t log on. • Auto - clients are required to authenticate. After successful authentication, the port will be authorized, otherwise the port would be Unauthorized. Marvell Confidential
IEEE 802.1x CLI Configuration AT - 8000S Marvell Confidential
Enable 802.1x on the Device • Use The following Global Configuration command to enable Port-Based Network Access Control on the device: dot1x system-auth-control • To disable the Port-Based Network Access Control on the device, use: no dot1x system-auth-control console(config)# dot1x system-auth-control Marvell Confidential
Configuring the AAA methods • Use the following Global Configuration command to specify one or more AAA methods for use when running IEEE 802.1x : aaa authentication dot1x default method1 [method2] method: Radius –radius server for authentication. None – no authentication needed. • To remove use: no aaa authentication dot1x default command. console (config)# aaa authentication dot1x default none Marvell Confidential
Unauthorized VLAN • Use the following VLAN interface configuration command to enable unauthorized users access to that VLAN: dot1x auth-not-req console(config)# interface vlan 10 console (config-if)# dot1x auth-not-req • To disable the access use: no dot1x auth-not-req Marvell Confidential
Manual Authorization State • Use the following Interface Configuration command to define the authorization state of the port: Use the “no” form of this command to return to the default setting (force authorized): dot1x port-control {auto | force-authorized | force- unauthorized} console(config)# interface ethernet 1/e1 console (config-if)# dot1x port-control auto Marvell Confidential
Allowing Multiple Hosts • Use the following Interface Configuration command to allow multiple hosts (clients) on an 802.1X (auto) authorized port: dot1x multiple-hosts console(config)# interface ethernet 1/e1 console (config-if)# dot1x multiple-hosts • To return to the default Use the no form of this command. • By default multiple hosts are disabled. • If Multiple-host is enabled, and a certain host is authorized – all other host on interface are also authorized Marvell Confidential
Violation Action • Use the following Interface Configuration to configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface: dot1x single-host-violation {forward | discard | discard- shutdown} [trap seconds] • The default is discarding with source address not the supplicant address. No traps sent. Marvell Confidential
Violation Action (Cont.) • To return to default use: no port dot1x single-host-violation • Example: console(config)# interface ethernet 1/e1 console (config-if)# dot1x single-host-violation forward trap 100 Marvell Confidential
802.1x - Guest VLAN Commands • Use the following Interface VLAN mode command to define a dot1x guest VLAN. Use the “no” form of command to return to default configuration: dot1x guest-vlan No dot1x guest-vlan • Use the following Interface Ethernet mode command to enable dot1x guest VLAN on a port. Use the “no” form of command to disable guest VLAN (default): dot1x guest-vlan enable No dot1x guest-vlan enable Marvell Confidential
802.1x - Guest VLAN Example console(config)# interface vlan 11 console(config-if)# dot1x guest-vlan console(config-if)# exit console(config)# interface ethernet 1/e10 console(config-if)# dot1x guest-vlan enable console(config-if)# dot1x port-control auto Marvell Confidential
802.1x - Guest VLAN Example console# show dot1x advanced ethernet 1/e10 Guest VLAN: 10 Unauthenticated VLANs: Interface Multiple Hosts Guest VLAN --------- -------------- ---------- 1/g10 Disabled Enabled Single host parameters Violation action: Discard Trap: Disabled Trap frequency: 10 Status: Not in auto mode Violations since last trap: 0 Marvell Confidential
802.1x - Guest VLAN Example console# show vlan Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 e(2-9,11-48),g(1-4),ch(1-8) other Required 10 10 permanent Not Required 11 11 e10 permanent Guest Marvell Confidential
Quiet State Time • Use the following Interface Configuration command to set the number of seconds that the switch remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). dot1x timeout quiet-period seconds • quiet state – no authentication is granted during this period. • To return to the default use: no dot1x timeout quiet-period Marvell Confidential
Quiet State Time (Cont.) • During the quiet period, the switch does not accept or initiate any authentication requests. • The default value of this command should only be changed to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. • If it is necessary to provide a faster response time to the user, a smaller number than the default should be entered. console (config-if)# dot1x timeout quiet-period 3600 Marvell Confidential
EAP Response Time • Use the following Interface Configuration command to set the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the client, before resending the request for the first time: dot1x timeout tx-period seconds • To return to the default use: no dot1x timeout tx-period console (config-if)# dot1x timeout tx-period 3600 Marvell Confidential
EAP Retransmission Time • Use the following Interface Configuration command to set the time for the retransmission of an Extensible Authentication Protocol (EAP)-request frame to the client: dot1x timeout supp-timeout seconds • To return to the default setting use: no dot1x timeout supp-timeout console (config)# dot1x timeout supp-timeout 3600 Marvell Confidential
Maximum Requests • Use The following Interface Configuration command to set the maximum number of times that the switch sends an EAP - request/identity frame to the client, before restarting the authentication process: dot1x max-req count console (config-if)# dot1x max-req 6 • To return to the default setting use: no dot1x max-req • Count – Range: 1 - 10 The default count is 2. • This mechanism acts as a verification that port should stay in authorized state. If no responses are received port goes into an unauthorized state Marvell Confidential
Periodic re-authentication • Use the following Interface Configuration command to enable periodic re-authentication of the client. dot1x re-authentication • To return to the default setting use no dot1x re-authentication. console (config-if)# dot1x re-authentication Marvell Confidential
Re-Authentication Period • Use the following Interface Configuration commands to set the number of seconds between re-authentication attempts: dot1x timeout re-authperiod seconds console (config-if)# dot1x timeout re-authperiod 3600 • To return to the default setting use : no dot1x timeout re-authperiod Marvell Confidential
Initiating Re-authentication • Use the following privileged EXEC command to manually initiate an instant re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port. dot1x re-authenticate [ethernet interface] console# dot1x re-authenticate ethernet 1/e8 Marvell Confidential
Server Timeout • Use the following Interface Configuration command to set the time for the retransmission of packet to the authentication server: dot1x timeout server-timeout seconds console (config-if)# dot1x timeout server-timeout 300 • To return to the default use: no dot1x timeout server-timeout Marvell Confidential
Dot1x - Show Commands • show dot1x [ethernet interface] - displays 802.1X status for the switch or for the specified interface. • show dot1x advanced [ethernet interface] - displays 802.1X advanced features for the switch or for the specified interface. • show dot1x users [username username] - displays the 802.1X users for the switch. • show dot1x statistics ethernet interface - displays 802.1X statistics for the specified interface. Marvell Confidential
IEEE 802.1x Configuration Example Marvell Confidential
AT - 8000S Configuration console(config)# interface ethernet g2 console(config-if)# ip address 15.1.1.1 /24 console(config-if)# exit console(config)# dot1x system-auth-control console(config)# aaa authentication dot1x default radius console(config)# radius-server host 15.1.1.2 key mafteach usage dot1.x console(config)# interface ethernet g1 console(config-if)# dot1x port-control auto 01-Jan-2000 01:09:58 %SEC-W-PORTUNAUTHORIZED: Port g1 is unAuthorized 01-Jan-2000 01:09:58 %LINK-W-Down: Vlan 1 console(config-if)# Note: “usage dot1x” parameter must be used when defining Radius server for dot1x configuration Marvell Confidential
Radius Server Configuration – Connecting Marvell Confidential
Radius Server – RAS Client Marvell Confidential
Radius – Authentication Key Marvell Confidential
Radius Server – Adding a User Marvell Confidential
Radius Server - Password Marvell Confidential
Radius Server – Saving Configuration Marvell Confidential
Client PC - 802.1x Configuration • Make sure that the 802.1x service is started on the computer: Marvell Confidential
PC - Client Authentication Marvell Confidential
PC - Enable 802.1X On The Client Marvell Confidential
PC - Result Of Client Configuration • After configuring the client, you can see that it is trying to authenticate: Marvell Confidential
Client – Entering Username and PW Marvell Confidential
AT - 8000S - Authentication Completed! 01-Jan-2000 02:00:56 %SEC-I-PORTAUTHORIZED: Port g1 is Authorized 01-Jan-2000 02:00:56 %LINK-I-Up: Vlan 1 01-Jan-2000 02:00:56 %STP-W-PORTSTATUS: g1: STP status Blocking 01-Jan-2000 02:01:26 %STP-W-PORTSTATUS: g1: STP status Forwarding Marvell Confidential
Marvell Confidential

Recommended

Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
Xiaoqi Zhao
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 
802.1x
802.1x802.1x
802.1x
Alp isik
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Mohamed Gamel
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
rinnocente
 

Recommended

Ali shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1XAli shahbazi khojasteh dot1X
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
802.1x authentication
802.1x authentication802.1x authentication
802.1x authentication
Xiaoqi Zhao
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 
802.1x
802.1x802.1x
802.1x
Alp isik
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Mohamed Gamel
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
rinnocente
 
802.1x
802.1x802.1x
802.1x
akruthi k
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
Bangladesh Network Operators Group
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
Sergey Kucherenko
 
Sw8021x
Sw8021xSw8021x
Sw8021x
university fsr
 
RADIUS
RADIUSRADIUS
RADIUS
amogh_ubale
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
dkaya
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
Mohamed Daif
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
Wilson Ospina
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introduction
smoscato
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
Dhananjay Aloorkar
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
Benith T
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
Alberto Rivai
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Iuwne10 S03 L01
Iuwne10 S03 L01Iuwne10 S03 L01
Iuwne10 S03 L01
Ravi Ranjan
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
matoko
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
Swapnil Kapate
 

More Related Content

What's hot

AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
Benith T
 

What's hot (20)

802.1x
802.1x802.1x
802.1x
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
Sw8021x
Sw8021xSw8021x
Sw8021x
 
RADIUS
RADIUSRADIUS
RADIUS
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
Radius1
Radius1Radius1
Radius1
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introduction
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
Iuwne10 S03 L01
Iuwne10 S03 L01Iuwne10 S03 L01
Iuwne10 S03 L01
 
Aruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User GuideAruba ClearPass Guest 6.3 User Guide
Aruba ClearPass Guest 6.3 User Guide
 

Similar to At8000 s configurando_8021x

Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
matoko
 
ALOHA Load Balancer - Rackable Appliance
ALOHA Load Balancer - Rackable ApplianceALOHA Load Balancer - Rackable Appliance
ALOHA Load Balancer - Rackable Appliance
EXCELIANCE
 
ALOHA Load Balancer - Virtual Appliance
ALOHA Load Balancer - Virtual ApplianceALOHA Load Balancer - Virtual Appliance
ALOHA Load Balancer - Virtual Appliance
EXCELIANCE
 
802 11 3
802 11 3802 11 3
802 11 3
rphelps
 
CloudStack and SDN
CloudStack and SDNCloudStack and SDN
CloudStack and SDN
Sebastien Goasguen
 
wi-fi technology
wi-fi technologywi-fi technology
wi-fi technology
tardeep
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoT
dejanb
 

Similar to At8000 s configurando_8021x (20)

Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
Ieee 802.1 x
Ieee 802.1 xIeee 802.1 x
Ieee 802.1 x
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
 
Layer 7 and Oracle -
Layer 7 and Oracle - Layer 7 and Oracle -
Layer 7 and Oracle -
 
ALOHA Load Balancer - Rackable Appliance
ALOHA Load Balancer - Rackable ApplianceALOHA Load Balancer - Rackable Appliance
ALOHA Load Balancer - Rackable Appliance
 
ALOHA Load Balancer - Virtual Appliance
ALOHA Load Balancer - Virtual ApplianceALOHA Load Balancer - Virtual Appliance
ALOHA Load Balancer - Virtual Appliance
 
802 11 3
802 11 3802 11 3
802 11 3
 
Server Day 2009: Oracle/Bea Fusion Middleware by Paolo Ramasso
Server Day 2009: Oracle/Bea Fusion Middleware by Paolo RamassoServer Day 2009: Oracle/Bea Fusion Middleware by Paolo Ramasso
Server Day 2009: Oracle/Bea Fusion Middleware by Paolo Ramasso
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
Wireless Security Policy
Wireless Security PolicyWireless Security Policy
Wireless Security Policy
 
CloudStack and SDN
CloudStack and SDNCloudStack and SDN
CloudStack and SDN
 
(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should know(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should know
 
wi-fi technology
wi-fi technologywi-fi technology
wi-fi technology
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
 
Wifi
WifiWifi
Wifi
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
Aerohive AP 170
Aerohive AP 170Aerohive AP 170
Aerohive AP 170
 
Messaging for IoT
Messaging for IoTMessaging for IoT
Messaging for IoT
 

More from NetPlus

Cameras sd 5500 speed domes portugues
Cameras sd 5500 speed domes portuguesCameras sd 5500 speed domes portugues
Cameras sd 5500 speed domes portugues
NetPlus
 
Camera re q359 portugues
Camera re q359 portuguesCamera re q359 portugues
Camera re q359 portugues
NetPlus
 
Camera re h2035 c portugues
Camera re h2035 c portuguesCamera re h2035 c portugues
Camera re h2035 c portugues
NetPlus
 
Camera re h2025 c portugues
Camera re h2025 c portuguesCamera re h2025 c portugues
Camera re h2025 c portugues
NetPlus
 
Camera re h2015 r portugues
Camera re h2015 r portuguesCamera re h2015 r portugues
Camera re h2015 r portugues
NetPlus
 
Camera re h1020 l -lhshi portugues
Camera re h1020 l -lhshi portuguesCamera re h1020 l -lhshi portugues
Camera re h1020 l -lhshi portugues
NetPlus
 
Camera re h1020 l -lh - lsh portugues
Camera re h1020 l -lh - lsh portuguesCamera re h1020 l -lh - lsh portugues
Camera re h1020 l -lh - lsh portugues
NetPlus
 
Camera re b9020 lc - lch portugues
Camera re b9020 lc - lch portuguesCamera re b9020 lc - lch portugues
Camera re b9020 lc - lch portugues
NetPlus
 
Camera re b9020 lai - lahi - lahdi portugues
Camera re b9020 lai - lahi - lahdi portuguesCamera re b9020 lai - lahi - lahdi portugues
Camera re b9020 lai - lahi - lahdi portugues
NetPlus
 
Camera re b9020 la - lah portugues
Camera re b9020 la - lah portuguesCamera re b9020 la - lah portugues
Camera re b9020 la - lah portugues
NetPlus
 
Camera re b9018 lr portugues
Camera re b9018 lr portuguesCamera re b9018 lr portugues
Camera re b9018 lr portugues
NetPlus
 
Camera re b9016 l portugues
Camera re b9016 l portuguesCamera re b9016 l portugues
Camera re b9016 l portugues
NetPlus
 
Camera re b6018 lr portugues
Camera re b6018 lr portuguesCamera re b6018 lr portugues
Camera re b6018 lr portugues
NetPlus
 
Camera re 8020 lnci - lnshi - lnshdi portugues
Camera re 8020 lnci - lnshi - lnshdi portuguesCamera re 8020 lnci - lnshi - lnshdi portugues
Camera re 8020 lnci - lnshi - lnshdi portugues
NetPlus
 
Camera re 8020 lnc - lnsh portugues
Camera re 8020 lnc - lnsh portuguesCamera re 8020 lnc - lnsh portugues
Camera re 8020 lnc - lnsh portugues
NetPlus
 

More from NetPlus (20)

Cameras sd 5500 speed domes portugues
Cameras sd 5500 speed domes portuguesCameras sd 5500 speed domes portugues
Cameras sd 5500 speed domes portugues
 
Camera re q359 portugues
Camera re q359 portuguesCamera re q359 portugues
Camera re q359 portugues
 
Camera re h2035 c portugues
Camera re h2035 c portuguesCamera re h2035 c portugues
Camera re h2035 c portugues
 
Camera re h2025 c portugues
Camera re h2025 c portuguesCamera re h2025 c portugues
Camera re h2025 c portugues
 
Camera re h2015 r portugues
Camera re h2015 r portuguesCamera re h2015 r portugues
Camera re h2015 r portugues
 
Camera re h1020 l -lhshi portugues
Camera re h1020 l -lhshi portuguesCamera re h1020 l -lhshi portugues
Camera re h1020 l -lhshi portugues
 
Camera re h1020 l -lh - lsh portugues
Camera re h1020 l -lh - lsh portuguesCamera re h1020 l -lh - lsh portugues
Camera re h1020 l -lh - lsh portugues
 
Camera re b9020 lc - lch portugues
Camera re b9020 lc - lch portuguesCamera re b9020 lc - lch portugues
Camera re b9020 lc - lch portugues
 
Camera re b9020 lai - lahi - lahdi portugues
Camera re b9020 lai - lahi - lahdi portuguesCamera re b9020 lai - lahi - lahdi portugues
Camera re b9020 lai - lahi - lahdi portugues
 
Camera re b9020 la - lah portugues
Camera re b9020 la - lah portuguesCamera re b9020 la - lah portugues
Camera re b9020 la - lah portugues
 
Camera re b9018 lr portugues
Camera re b9018 lr portuguesCamera re b9018 lr portugues
Camera re b9018 lr portugues
 
Camera re b9016 l portugues
Camera re b9016 l portuguesCamera re b9016 l portugues
Camera re b9016 l portugues
 
Camera re b6018 lr portugues
Camera re b6018 lr portuguesCamera re b6018 lr portugues
Camera re b6018 lr portugues
 
Camera re 8020 lnci - lnshi - lnshdi portugues
Camera re 8020 lnci - lnshi - lnshdi portuguesCamera re 8020 lnci - lnshi - lnshdi portugues
Camera re 8020 lnci - lnshi - lnshdi portugues
 
Camera re 8020 lnc - lnsh portugues
Camera re 8020 lnc - lnsh portuguesCamera re 8020 lnc - lnsh portugues
Camera re 8020 lnc - lnsh portugues
 
DVR Stand Alone DR-0162 Dotix
DVR Stand Alone DR-0162 DotixDVR Stand Alone DR-0162 Dotix
DVR Stand Alone DR-0162 Dotix
 
DVR Stand Alone DR-082 Dotix
DVR Stand Alone DR-082 DotixDVR Stand Alone DR-082 Dotix
DVR Stand Alone DR-082 Dotix
 
DVR Stand Alone DR-042 Dotix
DVR Stand Alone DR-042 DotixDVR Stand Alone DR-042 Dotix
DVR Stand Alone DR-042 Dotix
 
DVR Stand Alone DE-2416HV Dotix
DVR Stand Alone DE-2416HV DotixDVR Stand Alone DE-2416HV Dotix
DVR Stand Alone DE-2416HV Dotix
 
DVR Stand Alone DE-1816HV Dotix
DVR Stand Alone DE-1816HV DotixDVR Stand Alone DE-1816HV Dotix
DVR Stand Alone DE-1816HV Dotix
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

At8000 s configurando_8021x

  • 1. IEEE 802.1X Port Based Authentication AT - 8000S Marvell Confidential
  • 2. Agenda • 802.1x Overview System roles What is EAP Authentication Initiation Message Exchange Port states Enhanced features Operating system support • AT - 8000S implementation Functional description User controls User guidelines Enhanced features Control and status parameters • CLI Configuration • 802.1x - Configuration Example Marvell Confidential
  • 3. IEEE 802.1x Feature Overview Marvell Confidential
  • 4. 802.1x Overview • Standard set by the IEEE 802.1 working group—approved in December 2001 • Designed to address and provide port-based access control using authentication. • Describes a standard link layer protocol used for transporting higher-level authentication protocols (i.e. EAP) • The authentication server authenticates the clients connected to a switch port before making available any services offered by the switch or the LAN. Marvell Confidential
  • 5. 802.1x Overview (Cont.) • Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. • After authentication is successful, regular traffic can pass through the port. Marvell Confidential
  • 6. System Roles Authentication Server (RADIUS) Workstations (clients) Switch/Router (AT - 8000S) •Devices that are attach to a LAN, are referred to as systems. •A device or a device port is able to adopt one of the roles within an access control interaction: •Switch (Authenticator Or back-end authenticator) •Client (Supplicant) •Authentication Server Marvell Confidential
  • 7. The Switch - Authenticator • Controls the physical access to the network based on the authentication status of the client. • The switch acts as intermediary between the client and the authentication server, requesting identity information from the client, verifying the information with the authentication server, and relaying the server’s response to the client. • The switch acts as a RADIUS client, which is responsible for encapsulating/de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server. • When the switch receives EAP Over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re- encapsulated in the RADIUS format. Marvell Confidential
  • 8. The Switch – Authenticator (Cont.) • The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. • When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. • The devices that can act intermediaries must run software that supports both the RADIUS client and 802.1X. Marvell Confidential
  • 9. The Client (Supplicant) • The device that requests access to the LAN/switch services and responds to requests from the switch. • It must be running 802.1x client software. Marvell Confidential
  • 10. The Authentication Server • Performs the actual authentication of the client. • The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. • Because the switch acts as the intermediate, the authentication service is transparent to the client. • RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. Marvell Confidential
  • 11. A closer look at the process Login Req. Send Credentials Forward Credentials to the server Accept Authentication Successful Policy Instructions Actual Authentication is between Client and the Server using EAP; The switch is just the middleman, but is aware of what’s going on 802.1x RADIUS Marvell Confidential
  • 12. What Is EAP ? • EAP—The Extensible Authentication Protocol • A flexible protocol used to carry arbitrary authentication information • Typically rides on top of another protocol Such as 802.1x or RADIUS (could be TACACS+, etc.) • Specified in RFC 2284 Marvell Confidential
  • 13. 802.1x EAP Ethernet Header 802.1x Header EAP Payload • Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads. • The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information • Three forms of EAP: – EAP-MD5—MD5 Hashed Username/Password – EAP-OTP—One-Time Passwords – EAP-TLS—Strong PKI Authenticated Transport Layer Security (SSL) Marvell Confidential
  • 14. EAPOL (EAP over 802.1x) Frame Format 0 6 12 14 15 16 Destination MAC Source MAC Ether Type Version Type Length Body … 18 n Authenticator to Supplicant Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Authenticator MAC Supplicant to Authenticator Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Supplicant MAC Marvell Confidential
  • 15. EAPOL Frame Types • EAPOL-Start: The frame is an EAPOL-start frame. • EAPOL-Logoff: The frame is an explicit EAPOL-logoff request frame. • EAP-Packet: The frame carries an EAP packet – see 4 code types in previous slide. • EAPOL-Key: The frame is an EAPOL-Key frame. • EAPOL-Encapsulated-ASF-Alert: The frame carries an EAPOL-Encapsulated ASF Alert. Marvell Confidential
  • 16. EAP Header Format • Initially developed for PPP Authentication • Code: Request, Response, Success, or Failure • Identifier is used to match responses with requests • Format of the data field depends on the code field Marvell Confidential
  • 17. Authentication Initiation • The switch or the client can initiate authentication. • If you enable authentication on a port, the switch must initiate authentication when it determines that the port link state transitions from down to up. • The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). • Upon receipt of the frame, the client responds with an EAP- response/identity frame. Marvell Confidential
  • 18. Authentication Initiation (Cont.) • If during client boot-up, the client does not receive an EAP- request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client’s identity. • If 802.1X is not enabled or supported on the network access device, EAPOL frames from the client are dropped. • If the client does not receive an EAP-request/identity frame after three attempts, the client sends traffic as if the port is in the authorized state. • A port in the authorized state effectively means that the client has been successfully authenticated. Marvell Confidential
  • 19. Message Exchange • When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails. • If the authentication succeeds, the switch port becomes authorized. • The specific exchange of EAP frames depends on the authentication method being used. Marvell Confidential
  • 20. Message Exchange ( Cont.) • Generally the message exchange look like this: EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/challenge EAP-Response/challenge(password) EAP-Success/failure Port authorized/not authorized EAPOL-Logoff Port not authorized Marvell Confidential
  • 21. Port States • The switch port state determines whether or not the client is granted access to the network. • The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. • When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic to/from the client to pass normally. • If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. Marvell Confidential
  • 22. Port States (Cont.) • If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted. • When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state. • If the link state of a port transitions from up to down, the port returns to the unauthorized state. Marvell Confidential
  • 23. 802.1X Un-supported • If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network. • When an 802.1X- enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. When no response is received, the client begins sending frames as if the port is in the authorized state. Marvell Confidential
  • 24. Enhanced Features • Single-host/Multiple-hosts • Guest VLAN • Unauthenticated VLANs • User based VLAN Marvell Confidential
  • 25. Single-host / Multiple-hosts Single host • Enables only the first host that has been authorized to get access to the port. • Filtering is based on the source MAC address. Multiple hosts • This is the per standard mode • Enables multiple hosts to be attached to a single 802.1x port. • Only one of the attached hosts must be authorized for all the hosts to be granted network access. • If the port Transits to unauthorized, all the attached client are denied access to the network. Marvell Confidential
  • 26. Guest VLAN • An option to provide limited network access to an unauthorized port • Typical applications: – Management traffic to an unauthorized stations. – Provide guest access to the Internet. • One of the VLANs in the switch would be the “guest VLAN“. • The “guest VLAN“ would be the “untagged” VLAN of ports in the unauthorized state. • Guest VLAN is defined dynamically on an unauthenticated port Marvell Confidential
  • 27. Unauthenticated VLANs • VLANs in the switch which are always available to the users, even if the port is unauthorized, for the use of some applications like IP telephony. • Those VLANs are defined as “Unauthenticated” VLANs. Marvell Confidential
  • 28. 802.1x un-authenticated VLAN/ Guest VLAN differences Port mode un-authenticated VLAN Guest VLAN Forced / Auto Whenever port mode changes Whenever port mode changes Authorized to authorized, the port remains to authorized, the port is on the un-authenticated VLAN removed from the guest VLAN and behaves according to and behaves according to dot1Q settings dot1Q settings Auto/Forced Whenever port mode changes Whenever port mode changed Unauthorized to unauthorized, the port to unauthorized, its VLAN remains on the un- membership and PVID will be authenticated VLAN and will overridden by the the guest forward only tagged traffic VLAN settings, which will take towards the unauthenticated affect instead.. VLAN Marvell Confidential
  • 29. User based VLAN • 802.1x ports are assigned to a VLAN based on the username of the client connected to that port. • The Authentication server database maintains the username-to-VLAN mappings. • After successful authentication of the port, the Authentication server sends the VLAN assignment to the Authenticator. Marvell Confidential
  • 30. Operating System Support • Windows XP— shipped with support. • Windows 2000— available with SP3 + Hotfix or SP4. • Windows NT/98/Me—limited availability or 3rd party (MeetingHouse). • Linux—open source http://www.open1x.org • Solaris—3rd party via MeetingHouse Communications http://www.mtghouse.com Marvell Confidential
  • 31. IEEE 802.1x Implementation AT - 8000S Marvell Confidential
  • 32. Functional Description • The system implements 802.1x Port Based Authentication as per the standard, In addition to enhanced features described on the next slides • The authentication server authenticates each client connected to a switch port before any communication (except EAPOL traffic) can take place. • Authentication is performed using AAA services – such as RADIUS • The status of the controlled port is a function of the communication between the authentication server and the supplicant. Marvell Confidential
  • 33. Functional Description (Cont.) • The port status can be modified by the user. • Any access to the LAN is subject to the status of the port. • An uncontrolled port (always authorized) is used to communicate with the authentication (RADIUS) server using EAP. Marvell Confidential
  • 34. AT - 8000S– 802.1X User Controls • Enable 802.1x on the system. • Specify how often client authentication occurs. • Control the port authorization state, or allow it to be set automatically (force-authorized, force-unauthorized, auto). • View 802.1x statistics. • Trigger manual re-authentication. • Adjust quiet period. • Reset each value to the default. Marvell Confidential
  • 35. AT - 8000S – 802.1X User Controls Enhanced Features • Enable Single-host / Multiple-hosts on an interface • Un-authenticated VLANs – Define a VLAN as an as “Unauthenticated” VLAN • Guest VLAN – Define a VLAN as a “guest VLAN” – Enable guest VLAN on an interface – Guest VLAN cannot be an un-authenticated VLAN and cannot be the default VLAN Marvell Confidential
  • 36. AT - 8000S 802.1x - User Guidelines • AAA services must be enabled in order for 802.1x to work. • In a shared medium environment, a designated host will be the authenticated device. As long as it is authorized, all hosts will be granted access to the network. When it becomes unauthorized, all hosts will be denied access. • 802.1x cannot be defined on: – a LAG. – a port which is a member of a LAG. – A port that is configured with 802.1x cannot be added to a LAG. • If 802.1x is not enabled or supported on the device, the host will send frames as if the port is in the authorized state, meaning that the host has effectively been authenticated. Marvell Confidential
  • 37. Control and Status parameters Port status: • Authorized - The client has full access to the port. • Unauthorized - The client has limited access to the port. Marvell Confidential
  • 38. Control and Status parameters (Cont.) Port administrative control: • ForceAuthorized - The port is Authorized unconditionally. In this state clients are not required to be authenticated. This state is the default. • ForceUnauthorized - The port is Unauthorized. clients can’t log on. • Auto - clients are required to authenticate. After successful authentication, the port will be authorized, otherwise the port would be Unauthorized. Marvell Confidential
  • 39. IEEE 802.1x CLI Configuration AT - 8000S Marvell Confidential
  • 40. Enable 802.1x on the Device • Use The following Global Configuration command to enable Port-Based Network Access Control on the device: dot1x system-auth-control • To disable the Port-Based Network Access Control on the device, use: no dot1x system-auth-control console(config)# dot1x system-auth-control Marvell Confidential
  • 41. Configuring the AAA methods • Use the following Global Configuration command to specify one or more AAA methods for use when running IEEE 802.1x : aaa authentication dot1x default method1 [method2] method: Radius –radius server for authentication. None – no authentication needed. • To remove use: no aaa authentication dot1x default command. console (config)# aaa authentication dot1x default none Marvell Confidential
  • 42. Unauthorized VLAN • Use the following VLAN interface configuration command to enable unauthorized users access to that VLAN: dot1x auth-not-req console(config)# interface vlan 10 console (config-if)# dot1x auth-not-req • To disable the access use: no dot1x auth-not-req Marvell Confidential
  • 43. Manual Authorization State • Use the following Interface Configuration command to define the authorization state of the port: Use the “no” form of this command to return to the default setting (force authorized): dot1x port-control {auto | force-authorized | force- unauthorized} console(config)# interface ethernet 1/e1 console (config-if)# dot1x port-control auto Marvell Confidential
  • 44. Allowing Multiple Hosts • Use the following Interface Configuration command to allow multiple hosts (clients) on an 802.1X (auto) authorized port: dot1x multiple-hosts console(config)# interface ethernet 1/e1 console (config-if)# dot1x multiple-hosts • To return to the default Use the no form of this command. • By default multiple hosts are disabled. • If Multiple-host is enabled, and a certain host is authorized – all other host on interface are also authorized Marvell Confidential
  • 45. Violation Action • Use the following Interface Configuration to configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface: dot1x single-host-violation {forward | discard | discard- shutdown} [trap seconds] • The default is discarding with source address not the supplicant address. No traps sent. Marvell Confidential
  • 46. Violation Action (Cont.) • To return to default use: no port dot1x single-host-violation • Example: console(config)# interface ethernet 1/e1 console (config-if)# dot1x single-host-violation forward trap 100 Marvell Confidential
  • 47. 802.1x - Guest VLAN Commands • Use the following Interface VLAN mode command to define a dot1x guest VLAN. Use the “no” form of command to return to default configuration: dot1x guest-vlan No dot1x guest-vlan • Use the following Interface Ethernet mode command to enable dot1x guest VLAN on a port. Use the “no” form of command to disable guest VLAN (default): dot1x guest-vlan enable No dot1x guest-vlan enable Marvell Confidential
  • 48. 802.1x - Guest VLAN Example console(config)# interface vlan 11 console(config-if)# dot1x guest-vlan console(config-if)# exit console(config)# interface ethernet 1/e10 console(config-if)# dot1x guest-vlan enable console(config-if)# dot1x port-control auto Marvell Confidential
  • 49. 802.1x - Guest VLAN Example console# show dot1x advanced ethernet 1/e10 Guest VLAN: 10 Unauthenticated VLANs: Interface Multiple Hosts Guest VLAN --------- -------------- ---------- 1/g10 Disabled Enabled Single host parameters Violation action: Discard Trap: Disabled Trap frequency: 10 Status: Not in auto mode Violations since last trap: 0 Marvell Confidential
  • 50. 802.1x - Guest VLAN Example console# show vlan Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 e(2-9,11-48),g(1-4),ch(1-8) other Required 10 10 permanent Not Required 11 11 e10 permanent Guest Marvell Confidential
  • 51. Quiet State Time • Use the following Interface Configuration command to set the number of seconds that the switch remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). dot1x timeout quiet-period seconds • quiet state – no authentication is granted during this period. • To return to the default use: no dot1x timeout quiet-period Marvell Confidential
  • 52. Quiet State Time (Cont.) • During the quiet period, the switch does not accept or initiate any authentication requests. • The default value of this command should only be changed to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. • If it is necessary to provide a faster response time to the user, a smaller number than the default should be entered. console (config-if)# dot1x timeout quiet-period 3600 Marvell Confidential
  • 53. EAP Response Time • Use the following Interface Configuration command to set the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the client, before resending the request for the first time: dot1x timeout tx-period seconds • To return to the default use: no dot1x timeout tx-period console (config-if)# dot1x timeout tx-period 3600 Marvell Confidential
  • 54. EAP Retransmission Time • Use the following Interface Configuration command to set the time for the retransmission of an Extensible Authentication Protocol (EAP)-request frame to the client: dot1x timeout supp-timeout seconds • To return to the default setting use: no dot1x timeout supp-timeout console (config)# dot1x timeout supp-timeout 3600 Marvell Confidential
  • 55. Maximum Requests • Use The following Interface Configuration command to set the maximum number of times that the switch sends an EAP - request/identity frame to the client, before restarting the authentication process: dot1x max-req count console (config-if)# dot1x max-req 6 • To return to the default setting use: no dot1x max-req • Count – Range: 1 - 10 The default count is 2. • This mechanism acts as a verification that port should stay in authorized state. If no responses are received port goes into an unauthorized state Marvell Confidential
  • 56. Periodic re-authentication • Use the following Interface Configuration command to enable periodic re-authentication of the client. dot1x re-authentication • To return to the default setting use no dot1x re-authentication. console (config-if)# dot1x re-authentication Marvell Confidential
  • 57. Re-Authentication Period • Use the following Interface Configuration commands to set the number of seconds between re-authentication attempts: dot1x timeout re-authperiod seconds console (config-if)# dot1x timeout re-authperiod 3600 • To return to the default setting use : no dot1x timeout re-authperiod Marvell Confidential
  • 58. Initiating Re-authentication • Use the following privileged EXEC command to manually initiate an instant re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port. dot1x re-authenticate [ethernet interface] console# dot1x re-authenticate ethernet 1/e8 Marvell Confidential
  • 59. Server Timeout • Use the following Interface Configuration command to set the time for the retransmission of packet to the authentication server: dot1x timeout server-timeout seconds console (config-if)# dot1x timeout server-timeout 300 • To return to the default use: no dot1x timeout server-timeout Marvell Confidential
  • 60. Dot1x - Show Commands • show dot1x [ethernet interface] - displays 802.1X status for the switch or for the specified interface. • show dot1x advanced [ethernet interface] - displays 802.1X advanced features for the switch or for the specified interface. • show dot1x users [username username] - displays the 802.1X users for the switch. • show dot1x statistics ethernet interface - displays 802.1X statistics for the specified interface. Marvell Confidential
  • 61. IEEE 802.1x Configuration Example Marvell Confidential
  • 62. AT - 8000S Configuration console(config)# interface ethernet g2 console(config-if)# ip address 15.1.1.1 /24 console(config-if)# exit console(config)# dot1x system-auth-control console(config)# aaa authentication dot1x default radius console(config)# radius-server host 15.1.1.2 key mafteach usage dot1.x console(config)# interface ethernet g1 console(config-if)# dot1x port-control auto 01-Jan-2000 01:09:58 %SEC-W-PORTUNAUTHORIZED: Port g1 is unAuthorized 01-Jan-2000 01:09:58 %LINK-W-Down: Vlan 1 console(config-if)# Note: “usage dot1x” parameter must be used when defining Radius server for dot1x configuration Marvell Confidential
  • 63. Radius Server Configuration – Connecting Marvell Confidential
  • 64. Radius Server – RAS Client Marvell Confidential
  • 65. Radius – Authentication Key Marvell Confidential
  • 66. Radius Server – Adding a User Marvell Confidential
  • 67. Radius Server - Password Marvell Confidential
  • 68. Radius Server – Saving Configuration Marvell Confidential
  • 69. Client PC - 802.1x Configuration • Make sure that the 802.1x service is started on the computer: Marvell Confidential
  • 70. PC - Client Authentication Marvell Confidential
  • 71. PC - Enable 802.1X On The Client Marvell Confidential
  • 72. PC - Result Of Client Configuration • After configuring the client, you can see that it is trying to authenticate: Marvell Confidential
  • 73. Client – Entering Username and PW Marvell Confidential
  • 74. AT - 8000S - Authentication Completed! 01-Jan-2000 02:00:56 %SEC-I-PORTAUTHORIZED: Port g1 is Authorized 01-Jan-2000 02:00:56 %LINK-I-Up: Vlan 1 01-Jan-2000 02:00:56 %STP-W-PORTSTATUS: g1: STP status Blocking 01-Jan-2000 02:01:26 %STP-W-PORTSTATUS: g1: STP status Forwarding Marvell Confidential