IEEE 802.1X
                       Port Based Authentication

                                   AT - 8000S


Marvell Conf...
Agenda
              •        802.1x Overview
                       System roles
                       What is EAP
     ...
IEEE 802.1x

                        Feature Overview




Marvell Confidential
802.1x Overview
              •        Standard set by the IEEE 802.1 working group—approved in
                       Dec...
802.1x Overview (Cont.)

              •        Until the client is authenticated, 802.1X access control
                 ...
System Roles
                                                          Authentication
                                    ...
The Switch - Authenticator

              •        Controls the physical access to the network based on the
              ...
The Switch – Authenticator (Cont.)
              •        The EAP frames are not modified or examined during
             ...
The Client (Supplicant)

             •     The device that requests access to the LAN/switch services
                   ...
The Authentication Server
         •     Performs the actual authentication of the client.

         •     The authenticat...
A closer look at the process


                                Login Req.

                           Send Credentials    ...
What Is EAP ?

              •        EAP—The Extensible Authentication Protocol


              •        A flexible proto...
802.1x EAP
                Ethernet Header      802.1x Header            EAP Payload

              •        Transports au...
EAPOL (EAP over 802.1x) Frame
                         Format
                       0                     6              ...
EAPOL Frame Types

              •        EAPOL-Start: The frame is an EAPOL-start frame.

              •        EAPOL-Lo...
EAP Header Format




             •     Initially developed for PPP Authentication

             •     Code: Request, Res...
Authentication Initiation

         •     The switch or the client can initiate authentication.

         •      If you en...
Authentication Initiation (Cont.)

         •     If during client boot-up, the client does not receive an EAP-
          ...
Message Exchange

         •     When the client supplies its identity, the switch begins its
               role as the i...
Message Exchange ( Cont.)
              •        Generally the message exchange look like this:



                       ...
Port States
              •        The switch port state determines whether or not the client
                       is gr...
Port States (Cont.)

              •        If the authentication server cannot be reached, the switch
                   ...
802.1X Un-supported

         •     If a client that does not support 802.1X is connected to an
               unauthorize...
Enhanced Features

              •        Single-host/Multiple-hosts

              •        Guest VLAN

              •  ...
Single-host / Multiple-hosts
         Single host
         •     Enables only the first host that has been authorized to g...
Guest VLAN
               •       An option to provide limited network access to an
                       unauthorized po...
Unauthenticated VLANs


         •     VLANs in the switch which are always available to the
               users, even if...
802.1x un-authenticated VLAN/ Guest
         VLAN differences

         Port mode       un-authenticated VLAN          Gue...
User based VLAN

         •     802.1x ports are assigned to a VLAN based on the
               username of the client con...
Operating System Support

         •     Windows XP— shipped with support.

         •     Windows 2000— available with SP...
IEEE 802.1x
                       Implementation
                         AT - 8000S



Marvell Confidential
Functional Description
              •        The system implements 802.1x Port Based Authentication
                     ...
Functional Description (Cont.)

              •        The port status can be modified by the user.

              •      ...
AT - 8000S– 802.1X User Controls
              •        Enable 802.1x on the system.

              •        Specify how o...
AT - 8000S – 802.1X User Controls
                              Enhanced Features


         •     Enable Single-host / Mu...
AT - 8000S 802.1x - User Guidelines

         •     AAA services must be enabled in order for 802.1x to work.

         • ...
Control and Status parameters


         Port status:

         •     Authorized - The client has full access to the port....
Control and Status parameters (Cont.)

         Port administrative control:


         • ForceAuthorized - The port is Au...
IEEE 802.1x
                       CLI Configuration
                               AT - 8000S



Marvell Confidential
Enable 802.1x on the Device

         •     Use The following Global Configuration command to enable
               Port-B...
Configuring the AAA methods

         •     Use the following Global Configuration command to specify one or more
        ...
Unauthorized VLAN
             •     Use the following VLAN interface configuration command to
                   enable u...
Manual Authorization State

             •     Use the following Interface Configuration command to
                   def...
Allowing Multiple Hosts

             •     Use the following Interface Configuration command to allow
                   ...
Violation Action

              •        Use the following Interface Configuration to configure the
                      ...
Violation Action (Cont.)


         •    To return to default use:
              no port dot1x single-host-violation



  ...
802.1x - Guest VLAN Commands

              • Use the following Interface VLAN mode command to define a
                do...
802.1x - Guest VLAN Example


        console(config)# interface vlan 11
        console(config-if)# dot1x guest-vlan
    ...
802.1x - Guest VLAN Example
          console# show dot1x advanced ethernet 1/e10

          Guest VLAN: 10

          Una...
802.1x - Guest VLAN Example

      console# show vlan

      Vlan        Name                    Ports                 Typ...
Quiet State Time
              •        Use the following Interface Configuration command to set
                       th...
Quiet State Time (Cont.)


         •     During the quiet period, the switch does not accept or
               initiate a...
EAP Response Time
             •     Use the following Interface Configuration command to set
                   the numbe...
EAP Retransmission Time
              •        Use the following Interface Configuration command to set
                  ...
Maximum Requests
              •    Use The following Interface Configuration command to set
                   the maximu...
Periodic re-authentication

         •     Use the following Interface Configuration command to
               enable peri...
Re-Authentication Period

             •     Use the following Interface Configuration commands to set
                   ...
Initiating Re-authentication

         •     Use the following privileged EXEC command to manually
               initiate...
Server Timeout
              •        Use the following Interface Configuration command to set
                       the ...
Dot1x - Show Commands
              •        show dot1x [ethernet interface] - displays 802.1X status for
                ...
IEEE 802.1x

                       Configuration Example




Marvell Confidential
AT - 8000S Configuration
             console(config)# interface ethernet g2
             console(config-if)# ip address 1...
Radius Server Configuration –
                               Connecting




Marvell Confidential
Radius Server – RAS Client




Marvell Confidential
Radius – Authentication Key




Marvell Confidential
Radius Server – Adding a User




Marvell Confidential
Radius Server - Password




Marvell Confidential
Radius Server – Saving Configuration




Marvell Confidential
Client PC - 802.1x Configuration
         •     Make sure that the 802.1x service is started on the
               compute...
PC - Client Authentication




Marvell Confidential
PC - Enable 802.1X On The Client




Marvell Confidential
PC - Result Of Client Configuration

         •     After configuring the client, you can see that it is trying to
       ...
Client – Entering Username
                                 and PW




Marvell Confidential
AT - 8000S - Authentication
                               Completed!



             01-Jan-2000 02:00:56 %SEC-I-PORTAUTH...
Marvell Confidential
Upcoming SlideShare
Loading in …5
×

At8000 s configurando_8021x

1,484 views

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,484
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
128
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

At8000 s configurando_8021x

  1. 1. IEEE 802.1X Port Based Authentication AT - 8000S Marvell Confidential
  2. 2. Agenda • 802.1x Overview System roles What is EAP Authentication Initiation Message Exchange Port states Enhanced features Operating system support • AT - 8000S implementation Functional description User controls User guidelines Enhanced features Control and status parameters • CLI Configuration • 802.1x - Configuration Example Marvell Confidential
  3. 3. IEEE 802.1x Feature Overview Marvell Confidential
  4. 4. 802.1x Overview • Standard set by the IEEE 802.1 working group—approved in December 2001 • Designed to address and provide port-based access control using authentication. • Describes a standard link layer protocol used for transporting higher-level authentication protocols (i.e. EAP) • The authentication server authenticates the clients connected to a switch port before making available any services offered by the switch or the LAN. Marvell Confidential
  5. 5. 802.1x Overview (Cont.) • Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. • After authentication is successful, regular traffic can pass through the port. Marvell Confidential
  6. 6. System Roles Authentication Server (RADIUS) Workstations (clients) Switch/Router (AT - 8000S) •Devices that are attach to a LAN, are referred to as systems. •A device or a device port is able to adopt one of the roles within an access control interaction: •Switch (Authenticator Or back-end authenticator) •Client (Supplicant) •Authentication Server Marvell Confidential
  7. 7. The Switch - Authenticator • Controls the physical access to the network based on the authentication status of the client. • The switch acts as intermediary between the client and the authentication server, requesting identity information from the client, verifying the information with the authentication server, and relaying the server’s response to the client. • The switch acts as a RADIUS client, which is responsible for encapsulating/de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server. • When the switch receives EAP Over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re- encapsulated in the RADIUS format. Marvell Confidential
  8. 8. The Switch – Authenticator (Cont.) • The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. • When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. • The devices that can act intermediaries must run software that supports both the RADIUS client and 802.1X. Marvell Confidential
  9. 9. The Client (Supplicant) • The device that requests access to the LAN/switch services and responds to requests from the switch. • It must be running 802.1x client software. Marvell Confidential
  10. 10. The Authentication Server • Performs the actual authentication of the client. • The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. • Because the switch acts as the intermediate, the authentication service is transparent to the client. • RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. Marvell Confidential
  11. 11. A closer look at the process Login Req. Send Credentials Forward Credentials to the server Accept Authentication Successful Policy Instructions Actual Authentication is between Client and the Server using EAP; The switch is just the middleman, but is aware of what’s going on 802.1x RADIUS Marvell Confidential
  12. 12. What Is EAP ? • EAP—The Extensible Authentication Protocol • A flexible protocol used to carry arbitrary authentication information • Typically rides on top of another protocol Such as 802.1x or RADIUS (could be TACACS+, etc.) • Specified in RFC 2284 Marvell Confidential
  13. 13. 802.1x EAP Ethernet Header 802.1x Header EAP Payload • Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads. • The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information • Three forms of EAP: – EAP-MD5—MD5 Hashed Username/Password – EAP-OTP—One-Time Passwords – EAP-TLS—Strong PKI Authenticated Transport Layer Security (SSL) Marvell Confidential
  14. 14. EAPOL (EAP over 802.1x) Frame Format 0 6 12 14 15 16 Destination MAC Source MAC Ether Type Version Type Length Body … 18 n Authenticator to Supplicant Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Authenticator MAC Supplicant to Authenticator Destination MAC: 01-80-C2-00-00-03 Source MAC: Unicast Supplicant MAC Marvell Confidential
  15. 15. EAPOL Frame Types • EAPOL-Start: The frame is an EAPOL-start frame. • EAPOL-Logoff: The frame is an explicit EAPOL-logoff request frame. • EAP-Packet: The frame carries an EAP packet – see 4 code types in previous slide. • EAPOL-Key: The frame is an EAPOL-Key frame. • EAPOL-Encapsulated-ASF-Alert: The frame carries an EAPOL-Encapsulated ASF Alert. Marvell Confidential
  16. 16. EAP Header Format • Initially developed for PPP Authentication • Code: Request, Response, Success, or Failure • Identifier is used to match responses with requests • Format of the data field depends on the code field Marvell Confidential
  17. 17. Authentication Initiation • The switch or the client can initiate authentication. • If you enable authentication on a port, the switch must initiate authentication when it determines that the port link state transitions from down to up. • The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). • Upon receipt of the frame, the client responds with an EAP- response/identity frame. Marvell Confidential
  18. 18. Authentication Initiation (Cont.) • If during client boot-up, the client does not receive an EAP- request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client’s identity. • If 802.1X is not enabled or supported on the network access device, EAPOL frames from the client are dropped. • If the client does not receive an EAP-request/identity frame after three attempts, the client sends traffic as if the port is in the authorized state. • A port in the authorized state effectively means that the client has been successfully authenticated. Marvell Confidential
  19. 19. Message Exchange • When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails. • If the authentication succeeds, the switch port becomes authorized. • The specific exchange of EAP frames depends on the authentication method being used. Marvell Confidential
  20. 20. Message Exchange ( Cont.) • Generally the message exchange look like this: EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/challenge EAP-Response/challenge(password) EAP-Success/failure Port authorized/not authorized EAPOL-Logoff Port not authorized Marvell Confidential
  21. 21. Port States • The switch port state determines whether or not the client is granted access to the network. • The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. • When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic to/from the client to pass normally. • If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. Marvell Confidential
  22. 22. Port States (Cont.) • If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted. • When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state. • If the link state of a port transitions from up to down, the port returns to the unauthorized state. Marvell Confidential
  23. 23. 802.1X Un-supported • If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network. • When an 802.1X- enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. When no response is received, the client begins sending frames as if the port is in the authorized state. Marvell Confidential
  24. 24. Enhanced Features • Single-host/Multiple-hosts • Guest VLAN • Unauthenticated VLANs • User based VLAN Marvell Confidential
  25. 25. Single-host / Multiple-hosts Single host • Enables only the first host that has been authorized to get access to the port. • Filtering is based on the source MAC address. Multiple hosts • This is the per standard mode • Enables multiple hosts to be attached to a single 802.1x port. • Only one of the attached hosts must be authorized for all the hosts to be granted network access. • If the port Transits to unauthorized, all the attached client are denied access to the network. Marvell Confidential
  26. 26. Guest VLAN • An option to provide limited network access to an unauthorized port • Typical applications: – Management traffic to an unauthorized stations. – Provide guest access to the Internet. • One of the VLANs in the switch would be the “guest VLAN“. • The “guest VLAN“ would be the “untagged” VLAN of ports in the unauthorized state. • Guest VLAN is defined dynamically on an unauthenticated port Marvell Confidential
  27. 27. Unauthenticated VLANs • VLANs in the switch which are always available to the users, even if the port is unauthorized, for the use of some applications like IP telephony. • Those VLANs are defined as “Unauthenticated” VLANs. Marvell Confidential
  28. 28. 802.1x un-authenticated VLAN/ Guest VLAN differences Port mode un-authenticated VLAN Guest VLAN Forced / Auto Whenever port mode changes Whenever port mode changes Authorized to authorized, the port remains to authorized, the port is on the un-authenticated VLAN removed from the guest VLAN and behaves according to and behaves according to dot1Q settings dot1Q settings Auto/Forced Whenever port mode changes Whenever port mode changed Unauthorized to unauthorized, the port to unauthorized, its VLAN remains on the un- membership and PVID will be authenticated VLAN and will overridden by the the guest forward only tagged traffic VLAN settings, which will take towards the unauthenticated affect instead.. VLAN Marvell Confidential
  29. 29. User based VLAN • 802.1x ports are assigned to a VLAN based on the username of the client connected to that port. • The Authentication server database maintains the username-to-VLAN mappings. • After successful authentication of the port, the Authentication server sends the VLAN assignment to the Authenticator. Marvell Confidential
  30. 30. Operating System Support • Windows XP— shipped with support. • Windows 2000— available with SP3 + Hotfix or SP4. • Windows NT/98/Me—limited availability or 3rd party (MeetingHouse). • Linux—open source http://www.open1x.org • Solaris—3rd party via MeetingHouse Communications http://www.mtghouse.com Marvell Confidential
  31. 31. IEEE 802.1x Implementation AT - 8000S Marvell Confidential
  32. 32. Functional Description • The system implements 802.1x Port Based Authentication as per the standard, In addition to enhanced features described on the next slides • The authentication server authenticates each client connected to a switch port before any communication (except EAPOL traffic) can take place. • Authentication is performed using AAA services – such as RADIUS • The status of the controlled port is a function of the communication between the authentication server and the supplicant. Marvell Confidential
  33. 33. Functional Description (Cont.) • The port status can be modified by the user. • Any access to the LAN is subject to the status of the port. • An uncontrolled port (always authorized) is used to communicate with the authentication (RADIUS) server using EAP. Marvell Confidential
  34. 34. AT - 8000S– 802.1X User Controls • Enable 802.1x on the system. • Specify how often client authentication occurs. • Control the port authorization state, or allow it to be set automatically (force-authorized, force-unauthorized, auto). • View 802.1x statistics. • Trigger manual re-authentication. • Adjust quiet period. • Reset each value to the default. Marvell Confidential
  35. 35. AT - 8000S – 802.1X User Controls Enhanced Features • Enable Single-host / Multiple-hosts on an interface • Un-authenticated VLANs – Define a VLAN as an as “Unauthenticated” VLAN • Guest VLAN – Define a VLAN as a “guest VLAN” – Enable guest VLAN on an interface – Guest VLAN cannot be an un-authenticated VLAN and cannot be the default VLAN Marvell Confidential
  36. 36. AT - 8000S 802.1x - User Guidelines • AAA services must be enabled in order for 802.1x to work. • In a shared medium environment, a designated host will be the authenticated device. As long as it is authorized, all hosts will be granted access to the network. When it becomes unauthorized, all hosts will be denied access. • 802.1x cannot be defined on: – a LAG. – a port which is a member of a LAG. – A port that is configured with 802.1x cannot be added to a LAG. • If 802.1x is not enabled or supported on the device, the host will send frames as if the port is in the authorized state, meaning that the host has effectively been authenticated. Marvell Confidential
  37. 37. Control and Status parameters Port status: • Authorized - The client has full access to the port. • Unauthorized - The client has limited access to the port. Marvell Confidential
  38. 38. Control and Status parameters (Cont.) Port administrative control: • ForceAuthorized - The port is Authorized unconditionally. In this state clients are not required to be authenticated. This state is the default. • ForceUnauthorized - The port is Unauthorized. clients can’t log on. • Auto - clients are required to authenticate. After successful authentication, the port will be authorized, otherwise the port would be Unauthorized. Marvell Confidential
  39. 39. IEEE 802.1x CLI Configuration AT - 8000S Marvell Confidential
  40. 40. Enable 802.1x on the Device • Use The following Global Configuration command to enable Port-Based Network Access Control on the device: dot1x system-auth-control • To disable the Port-Based Network Access Control on the device, use: no dot1x system-auth-control console(config)# dot1x system-auth-control Marvell Confidential
  41. 41. Configuring the AAA methods • Use the following Global Configuration command to specify one or more AAA methods for use when running IEEE 802.1x : aaa authentication dot1x default method1 [method2] method: Radius –radius server for authentication. None – no authentication needed. • To remove use: no aaa authentication dot1x default command. console (config)# aaa authentication dot1x default none Marvell Confidential
  42. 42. Unauthorized VLAN • Use the following VLAN interface configuration command to enable unauthorized users access to that VLAN: dot1x auth-not-req console(config)# interface vlan 10 console (config-if)# dot1x auth-not-req • To disable the access use: no dot1x auth-not-req Marvell Confidential
  43. 43. Manual Authorization State • Use the following Interface Configuration command to define the authorization state of the port: Use the “no” form of this command to return to the default setting (force authorized): dot1x port-control {auto | force-authorized | force- unauthorized} console(config)# interface ethernet 1/e1 console (config-if)# dot1x port-control auto Marvell Confidential
  44. 44. Allowing Multiple Hosts • Use the following Interface Configuration command to allow multiple hosts (clients) on an 802.1X (auto) authorized port: dot1x multiple-hosts console(config)# interface ethernet 1/e1 console (config-if)# dot1x multiple-hosts • To return to the default Use the no form of this command. • By default multiple hosts are disabled. • If Multiple-host is enabled, and a certain host is authorized – all other host on interface are also authorized Marvell Confidential
  45. 45. Violation Action • Use the following Interface Configuration to configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface: dot1x single-host-violation {forward | discard | discard- shutdown} [trap seconds] • The default is discarding with source address not the supplicant address. No traps sent. Marvell Confidential
  46. 46. Violation Action (Cont.) • To return to default use: no port dot1x single-host-violation • Example: console(config)# interface ethernet 1/e1 console (config-if)# dot1x single-host-violation forward trap 100 Marvell Confidential
  47. 47. 802.1x - Guest VLAN Commands • Use the following Interface VLAN mode command to define a dot1x guest VLAN. Use the “no” form of command to return to default configuration: dot1x guest-vlan No dot1x guest-vlan • Use the following Interface Ethernet mode command to enable dot1x guest VLAN on a port. Use the “no” form of command to disable guest VLAN (default): dot1x guest-vlan enable No dot1x guest-vlan enable Marvell Confidential
  48. 48. 802.1x - Guest VLAN Example console(config)# interface vlan 11 console(config-if)# dot1x guest-vlan console(config-if)# exit console(config)# interface ethernet 1/e10 console(config-if)# dot1x guest-vlan enable console(config-if)# dot1x port-control auto Marvell Confidential
  49. 49. 802.1x - Guest VLAN Example console# show dot1x advanced ethernet 1/e10 Guest VLAN: 10 Unauthenticated VLANs: Interface Multiple Hosts Guest VLAN --------- -------------- ---------- 1/g10 Disabled Enabled Single host parameters Violation action: Discard Trap: Disabled Trap frequency: 10 Status: Not in auto mode Violations since last trap: 0 Marvell Confidential
  50. 50. 802.1x - Guest VLAN Example console# show vlan Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 e(2-9,11-48),g(1-4),ch(1-8) other Required 10 10 permanent Not Required 11 11 e10 permanent Guest Marvell Confidential
  51. 51. Quiet State Time • Use the following Interface Configuration command to set the number of seconds that the switch remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). dot1x timeout quiet-period seconds • quiet state – no authentication is granted during this period. • To return to the default use: no dot1x timeout quiet-period Marvell Confidential
  52. 52. Quiet State Time (Cont.) • During the quiet period, the switch does not accept or initiate any authentication requests. • The default value of this command should only be changed to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. • If it is necessary to provide a faster response time to the user, a smaller number than the default should be entered. console (config-if)# dot1x timeout quiet-period 3600 Marvell Confidential
  53. 53. EAP Response Time • Use the following Interface Configuration command to set the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the client, before resending the request for the first time: dot1x timeout tx-period seconds • To return to the default use: no dot1x timeout tx-period console (config-if)# dot1x timeout tx-period 3600 Marvell Confidential
  54. 54. EAP Retransmission Time • Use the following Interface Configuration command to set the time for the retransmission of an Extensible Authentication Protocol (EAP)-request frame to the client: dot1x timeout supp-timeout seconds • To return to the default setting use: no dot1x timeout supp-timeout console (config)# dot1x timeout supp-timeout 3600 Marvell Confidential
  55. 55. Maximum Requests • Use The following Interface Configuration command to set the maximum number of times that the switch sends an EAP - request/identity frame to the client, before restarting the authentication process: dot1x max-req count console (config-if)# dot1x max-req 6 • To return to the default setting use: no dot1x max-req • Count – Range: 1 - 10 The default count is 2. • This mechanism acts as a verification that port should stay in authorized state. If no responses are received port goes into an unauthorized state Marvell Confidential
  56. 56. Periodic re-authentication • Use the following Interface Configuration command to enable periodic re-authentication of the client. dot1x re-authentication • To return to the default setting use no dot1x re-authentication. console (config-if)# dot1x re-authentication Marvell Confidential
  57. 57. Re-Authentication Period • Use the following Interface Configuration commands to set the number of seconds between re-authentication attempts: dot1x timeout re-authperiod seconds console (config-if)# dot1x timeout re-authperiod 3600 • To return to the default setting use : no dot1x timeout re-authperiod Marvell Confidential
  58. 58. Initiating Re-authentication • Use the following privileged EXEC command to manually initiate an instant re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port. dot1x re-authenticate [ethernet interface] console# dot1x re-authenticate ethernet 1/e8 Marvell Confidential
  59. 59. Server Timeout • Use the following Interface Configuration command to set the time for the retransmission of packet to the authentication server: dot1x timeout server-timeout seconds console (config-if)# dot1x timeout server-timeout 300 • To return to the default use: no dot1x timeout server-timeout Marvell Confidential
  60. 60. Dot1x - Show Commands • show dot1x [ethernet interface] - displays 802.1X status for the switch or for the specified interface. • show dot1x advanced [ethernet interface] - displays 802.1X advanced features for the switch or for the specified interface. • show dot1x users [username username] - displays the 802.1X users for the switch. • show dot1x statistics ethernet interface - displays 802.1X statistics for the specified interface. Marvell Confidential
  61. 61. IEEE 802.1x Configuration Example Marvell Confidential
  62. 62. AT - 8000S Configuration console(config)# interface ethernet g2 console(config-if)# ip address 15.1.1.1 /24 console(config-if)# exit console(config)# dot1x system-auth-control console(config)# aaa authentication dot1x default radius console(config)# radius-server host 15.1.1.2 key mafteach usage dot1.x console(config)# interface ethernet g1 console(config-if)# dot1x port-control auto 01-Jan-2000 01:09:58 %SEC-W-PORTUNAUTHORIZED: Port g1 is unAuthorized 01-Jan-2000 01:09:58 %LINK-W-Down: Vlan 1 console(config-if)# Note: “usage dot1x” parameter must be used when defining Radius server for dot1x configuration Marvell Confidential
  63. 63. Radius Server Configuration – Connecting Marvell Confidential
  64. 64. Radius Server – RAS Client Marvell Confidential
  65. 65. Radius – Authentication Key Marvell Confidential
  66. 66. Radius Server – Adding a User Marvell Confidential
  67. 67. Radius Server - Password Marvell Confidential
  68. 68. Radius Server – Saving Configuration Marvell Confidential
  69. 69. Client PC - 802.1x Configuration • Make sure that the 802.1x service is started on the computer: Marvell Confidential
  70. 70. PC - Client Authentication Marvell Confidential
  71. 71. PC - Enable 802.1X On The Client Marvell Confidential
  72. 72. PC - Result Of Client Configuration • After configuring the client, you can see that it is trying to authenticate: Marvell Confidential
  73. 73. Client – Entering Username and PW Marvell Confidential
  74. 74. AT - 8000S - Authentication Completed! 01-Jan-2000 02:00:56 %SEC-I-PORTAUTHORIZED: Port g1 is Authorized 01-Jan-2000 02:00:56 %LINK-I-Up: Vlan 1 01-Jan-2000 02:00:56 %STP-W-PORTSTATUS: g1: STP status Blocking 01-Jan-2000 02:01:26 %STP-W-PORTSTATUS: g1: STP status Forwarding Marvell Confidential
  75. 75. Marvell Confidential

×