Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
25
Helpful
11
Replies

Assistance on 802.1x implementation

Shobith K
Level 1
Level 1

‎10-12-2007 08:22 AM - edited ‎03-10-2019 03:26 PM

Hi,

I have a project in hand to implement 802.1x for wired networks. Whenever a PC gets connected to the LAN switch, it

should get authenticated at Layer 2 and then it should be authorised to access LAN. The components involved in this

project will be access layer switches( 4500,2950,3560), the client workstations running Windows XP and Cisco ACS

server for authentication.

I have the following doubts on this setup,

1) In 802.1x how the authentication takes place ...( mac,password, certificates...?)

2) What are the various protocols involved in this?

3) How reliable is this when we implement this on 3000 nodes network.?

4) If the ACS server goes down, how the network will react - will any machine be able to connect or not?

5) What are the different methods other than 802.1x, which can serve the requirement.

Also it would be great if anyone can give any documents/useful links for the configuration of the switch/ACS, or

some general document which throws some light on the technologies involved in this

Thanks,

Shobith.K

Labels:
0 Helpful
11 Replies 11

Premdeep Banga
Level 7
Level 7

‎10-13-2007 09:59 AM

It seems like you are new to dot1x.

Suggestion:

- Search "IBNS" on cisco.com

- Go through 8021.x rfc (overview)

Regards,

Prem

Premdeep Banga
Level 7
Level 7

‎10-13-2007 10:09 AM

One more suggestion, search on NetPro forum. You'll get lots of example on configuring 802.1x wired or wireless all over it.

Regards,

Prem

Shobith K
Level 1
Level 1
In response to Premdeep Banga

‎10-13-2007 11:06 PM

thanks prem,

let me go through some of those docs and get back.

regards,

Shobith

0 Helpful

rajchack
Cisco Employee
Cisco Employee

‎10-14-2007 02:39 AM

Hello Shobith,

802.1x the authentication takes place via a layer 2 protocol using EAP over LAN (EapOL). The switchport will send authentication request to the connected host, the host must be running a software called a 'supplicant' which is capable of responding to such requests. You can use certificates to authenticate the machines and also have the option to authenticate the users with their login and password. Deploying dot1.x on a large scale is not currently recommended by Cisco due to various complicated issues, we currently recommend CCA or Cisco Clean Access with will provide added functionality of Posture assesment and remediation.

Thanks,

Raj

0 Helpful

Shobith K
Level 1
Level 1
In response to rajchack

‎10-14-2007 03:51 AM

Hi,

Thanks for the reply. Current requirement was to make most use of the Cisco ACS server deployed in the system. Can we have any other option other than 802.1x/CCA.

Can we implement port based authentication , ie authenticating the PC connected, based on a list of mac addresses. Also can this functionality be integrated with Cisco ACS, coz the network has more than 3000 nodes ( 3000 mac addresses.)

It would be great if i can have more inputs on the same.

Thanks,

Shobith.K

0 Helpful

rajchack
Cisco Employee
Cisco Employee
In response to Shobith K

‎10-14-2007 10:35 AM

Hi Shobithk,

First of all let me clarify what I said earlier, when I said cisco doesn't recommend dot1x in a large complex enviornment, that is more related to a framework deplyoment and that's why I made the suggestion of CCA. Dot1x is deployable, and in your particular case, it may be a viable option provided you have done ample planning and looked at all the variables. I would highly recommend you to work with your Cisco account team to craft a good solution.

Best regards,

Raj

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to Shobith K

‎10-14-2007 10:42 AM

I have done this earlier, do not know if its feasible for you or not. You'll find it no where which will say like, mac authentication using Cisco switches. But if your switches support MAC auth bypass. Then you can do this (I have done this twice and it works, but test first),

You can go through MAC Auth bypass feature from following link:

12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1205506

Configuring MAC Auth bypass on 12.2(37)SE:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1196845

----------Commands Required on Switch--------------

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host

radius-server key

config t

interface

switchport access vlan

dot1x port-control auto

dot1x mac-auth-bypass

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

dot1x reauthentication

-----------------------------------------------------------------

If we have an Windows XP Client, and as we want MAC authentication to work, then we can disable client to sent EAP request, so that Switch can consider it as Agentless host, and initiates the MAC auth bypass process.

Registry fix on Win XP test machine,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"SupplicantMode"=dword:00000000

Please create a AAA Client entry for the switch in ACS from Network configuration section.

And use the Authentication Protocol as RADIUS (Cisco IOS....)

And on ACS create an account for the client as,

Username : 0015c53ae40d

Password : 0015c53ae40d

If the MAC address of the client is 00-15-C5-3A-E4-0D

Also, please ensure that we running ACS version that is not hitting bug,

CSCsh62641 - MAC authentication causes internal errors

Regards,

Prem

lpergame
Level 1
Level 1
In response to Premdeep Banga

‎10-15-2007 02:01 PM

dot1x mac-auth-bypass not supported for 2950 switches.

0 Helpful

Shobith K
Level 1
Level 1
In response to Premdeep Banga

‎10-17-2007 05:26 AM

Hi Prem,

Thanks for the assistance provided. I have tested the configuration provided by you, in the lab. It works :)

Now moving on to integrate with our existing LAN, I have to test the following,

1) A PC and an IP Phone connecting to the same port to be authenticated based on MAC address.

I went through the 802.1x configuration guide and I came across MULTI DOMAIN AUTHENTICATION which lets me authenticate both PC and IP Phone. Now I have a doubt here. Will this work with MAC-AUTH-BYPASS. Hope to hear from you soon regarding this.

Thanks and Regards,

Shobith

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to Shobith K

‎10-17-2007 07:33 AM

Yes, this is exactly what you need.

Multi-Domain-Auth is effectively a new host mode. Typically, port-based access-control techniques only take a single-port into account. For AAA, and port-enforcement to insure the validity of the authorized session, MDA extends this to a single-port, single-VLAN construct to maximize retention of security.

So in the end, MDA just allows the new mode on the port. Then, MAB can be used as the actual auth method, and/or 1X can be used as the actual auth method; for both a Data-VLAN, and/or Voice-VLAN.

Hope this helps,

0 Helpful

Premdeep Banga
Level 7
Level 7

‎10-14-2007 10:54 AM

And Apart from the suggestion that i just provided. I strongly back Raj, that plan a Good solution and then go for implementation only. which is very important!

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents