![IEEE 802.1X packetlife.net
802.1X Header Terminology
1 1 2 Extensible Authentication Protocol (EAP)
Version Type Length EAP A flexible authentication framework defined in RFC 3748
EAP Over LANs (EAPOL)
EAP encapsulated by 802.1X for transport across LANs
EAP Header
Supplicant
1 1 2
The device (client) attached to an access link that requests
Code Identifier Length Data authentication by the authenticator
Authenticator
EAP Flow Chart The device that controls the status of a link; typically a
wired switch or wireless access point
Authentication
Supplicant Authenticator Server Authentication Server
A backend server which authenticates the credentials
provided by supplicants (for example, a RADIUS server)
Guest VLAN
Fallback VLAN for clients not 802.1X-capable
Restricted VLAN
Identity Request
Fallback VLAN for clients which fail authentication
802.1X Packet Types EAP Codes
Identity Response Access Request
0 EAP Packet 1 Request
Challenge Request Access Challenge 1 EAPOL-Start 2 Response
2 EAPOL-Logoff 3 Success
Challenge Response Access Request 3 EAPOL-Key 4 Failure
4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types
Success Access Accept
Interface Defaults 1 Identity
EAP RADIUS Max Auth Requests 2 2 Notification
Configuration Reauthentication Off 3 Nak
Quiet Period 60s 4 MD5 Challenge
! Define a RADIUS server Global Configuration
radius-server host 10.0.0.100 Reauth Period 1hr 5 One Time Password
radius-server key MyRadiusKey
! Configure 802.1X to authenticate via AAA
Server Timeout 30s 6 Generic Token Card
aaa new-model Supplicant Timeout 30s 254 Expanded Types
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally Tx Period 30s 255 Experimental
dot1x system-auth-control
Port-Control Options
! Static access mode Interface Configuration
force-authorized
switchport mode access
! Enable 802.1X authentication per port
Port will always remain in authorized state (default)
dot1x port-control auto force-unauthorized
! Configure host mode (single or multi) Always unauthorized; authentication attempts are ignored
dot1x host-mode single-host
! Configure maximum authentication attempts auto
dot1x max-reauth-req Supplicants must authenticate to gain access
! Enable periodic reauthentication
dot1x reauthentication Troubleshooting
! Configure a guest VLAN
dot1x guest-vlan 123 show dot1x [statistics] [interface <interface>]
! Configure a restricted VLAN dot1x test eapol-capable [interface <interface>]
dot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3 dot1x re-authenticate interface <interface>
by Jeremy Stretch v2.0](https://image.slidesharecdn.com/ieee802-1x-121022203958-phpapp02/75/Ieee-802-1-x-1-2048.jpg)
Uploaded byMohamed Gamel
Ieee 802.1 x
802.1X is a standard for port-based network access control. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. Key aspects of 802.1X include EAP encapsulation of authentication messages, the roles of supplicant, authenticator and authentication server, and configuration of authentication parameters such as maximum attempts, VLANs and timers on switches.
![[SOS 2009] D-Link: Red Segura L2 L3](https://cdn.slidesharecdn.com/ss_thumbnails/redsegurad-linktechnetsos-090912005201-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Ieee 802.1 x
- 1. IEEE 802.1X packetlife.net 802.1X Header Terminology 1 1 2 Extensible Authentication Protocol (EAP) Version Type Length EAP A flexible authentication framework defined in RFC 3748 EAP Over LANs (EAPOL) EAP encapsulated by 802.1X for transport across LANs EAP Header Supplicant 1 1 2 The device (client) attached to an access link that requests Code Identifier Length Data authentication by the authenticator Authenticator EAP Flow Chart The device that controls the status of a link; typically a wired switch or wireless access point Authentication Supplicant Authenticator Server Authentication Server A backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server) Guest VLAN Fallback VLAN for clients not 802.1X-capable Restricted VLAN Identity Request Fallback VLAN for clients which fail authentication 802.1X Packet Types EAP Codes Identity Response Access Request 0 EAP Packet 1 Request Challenge Request Access Challenge 1 EAPOL-Start 2 Response 2 EAPOL-Logoff 3 Success Challenge Response Access Request 3 EAPOL-Key 4 Failure 4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types Success Access Accept Interface Defaults 1 Identity EAP RADIUS Max Auth Requests 2 2 Notification Configuration Reauthentication Off 3 Nak Quiet Period 60s 4 MD5 Challenge ! Define a RADIUS server Global Configuration radius-server host 10.0.0.100 Reauth Period 1hr 5 One Time Password radius-server key MyRadiusKey ! Configure 802.1X to authenticate via AAA Server Timeout 30s 6 Generic Token Card aaa new-model Supplicant Timeout 30s 254 Expanded Types aaa authentication dot1x default group radius ! Enable 802.1X authentication globally Tx Period 30s 255 Experimental dot1x system-auth-control Port-Control Options ! Static access mode Interface Configuration force-authorized switchport mode access ! Enable 802.1X authentication per port Port will always remain in authorized state (default) dot1x port-control auto force-unauthorized ! Configure host mode (single or multi) Always unauthorized; authentication attempts are ignored dot1x host-mode single-host ! Configure maximum authentication attempts auto dot1x max-reauth-req Supplicants must authenticate to gain access ! Enable periodic reauthentication dot1x reauthentication Troubleshooting ! Configure a guest VLAN dot1x guest-vlan 123 show dot1x [statistics] [interface <interface>] ! Configure a restricted VLAN dot1x test eapol-capable [interface <interface>] dot1x auth-fail vlan 456 dot1x auth-fail max-attempts 3 dot1x re-authenticate interface <interface> by Jeremy Stretch v2.0