I have a project in hand to implement 802.1x for wired networks. Whenever a PC gets connected to the LAN switch, it
should get authenticated at Layer 2 and then it should be authorised to access LAN. The components involved in this
project will be access layer switches( 4500,2950,3560), the client workstations running Windows XP and Cisco ACS
server for authentication.
I have the following doubts on this setup,
1) In 802.1x how the authentication takes place ...( mac,password, certificates...?)
2) What are the various protocols involved in this?
3) How reliable is this when we implement this on 3000 nodes network.?
4) If the ACS server goes down, how the network will react - will any machine be able to connect or not?
5) What are the different methods other than 802.1x, which can serve the requirement.
Also it would be great if anyone can give any documents/useful links for the configuration of the switch/ACS, or
some general document which throws some light on the technologies involved in this
It seems like you are new to dot1x.
- Search "IBNS" on cisco.com
- Go through 8021.x rfc (overview)
One more suggestion, search on NetPro forum. You'll get lots of example on configuring 802.1x wired or wireless all over it.
802.1x the authentication takes place via a layer 2 protocol using EAP over LAN (EapOL). The switchport will send authentication request to the connected host, the host must be running a software called a 'supplicant' which is capable of responding to such requests. You can use certificates to authenticate the machines and also have the option to authenticate the users with their login and password. Deploying dot1.x on a large scale is not currently recommended by Cisco due to various complicated issues, we currently recommend CCA or Cisco Clean Access with will provide added functionality of Posture assesment and remediation.
Thanks for the reply. Current requirement was to make most use of the Cisco ACS server deployed in the system. Can we have any other option other than 802.1x/CCA.
Can we implement port based authentication , ie authenticating the PC connected, based on a list of mac addresses. Also can this functionality be integrated with Cisco ACS, coz the network has more than 3000 nodes ( 3000 mac addresses.)
It would be great if i can have more inputs on the same.
First of all let me clarify what I said earlier, when I said cisco doesn't recommend dot1x in a large complex enviornment, that is more related to a framework deplyoment and that's why I made the suggestion of CCA. Dot1x is deployable, and in your particular case, it may be a viable option provided you have done ample planning and looked at all the variables. I would highly recommend you to work with your Cisco account team to craft a good solution.
I have done this earlier, do not know if its feasible for you or not. You'll find it no where which will say like, mac authentication using Cisco switches. But if your switches support MAC auth bypass. Then you can do this (I have done this twice and it works, but test first),
You can go through MAC Auth bypass feature from following link:
12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"
Configuring MAC Auth bypass on 12.2(37)SE:
----------Commands Required on Switch--------------
aaa authentication dot1x default group radius
switchport access vlan
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
If we have an Windows XP Client, and as we want MAC authentication to work, then we can disable client to sent EAP request, so that Switch can consider it as Agentless host, and initiates the MAC auth bypass process.
Registry fix on Win XP test machine,
Please create a AAA Client entry for the switch in ACS from Network configuration section.
And use the Authentication Protocol as RADIUS (Cisco IOS....)
And on ACS create an account for the client as,
Username : 0015c53ae40d
Password : 0015c53ae40d
If the MAC address of the client is 00-15-C5-3A-E4-0D
Also, please ensure that we running ACS version that is not hitting bug,
CSCsh62641 - MAC authentication causes internal errors
Thanks for the assistance provided. I have tested the configuration provided by you, in the lab. It works :)
Now moving on to integrate with our existing LAN, I have to test the following,
1) A PC and an IP Phone connecting to the same port to be authenticated based on MAC address.
I went through the 802.1x configuration guide and I came across MULTI DOMAIN AUTHENTICATION which lets me authenticate both PC and IP Phone. Now I have a doubt here. Will this work with MAC-AUTH-BYPASS. Hope to hear from you soon regarding this.
Thanks and Regards,
Yes, this is exactly what you need.
Multi-Domain-Auth is effectively a new host mode. Typically, port-based access-control techniques only take a single-port into account. For AAA, and port-enforcement to insure the validity of the authorized session, MDA extends this to a single-port, single-VLAN construct to maximize retention of security.
So in the end, MDA just allows the new mode on the port. Then, MAB can be used as the actual auth method, and/or 1X can be used as the actual auth method; for both a Data-VLAN, and/or Voice-VLAN.
Hope this helps,
And Apart from the suggestion that i just provided. I strongly back Raj, that plan a Good solution and then go for implementation only. which is very important!