EN 
30.11.2025 Ondřej WELCOME IN MY WORLD

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco IOS 12 - IEEE 802.1x a pokročilejší funkce

Cisco IOS 12 - IEEE 802.1x and more advanced features

| Petr Bouška - Samuraj |
In the previous part, you could find a description of the IEEE 802.1x protocol and its basic configuration (only allowing user access to the port) both on the Cisco Switch and on the Microsoft IAS server (i.e. RADIUS) and the Windows client. This part goes on to describe the configuration of other interesting options. The most interesting thing is probably the possibility of assigning a port to certain VLANs according to user authentication and its inclusion in a group in AD or allowing access (to a certain part of the network) to a user who has not passed authentication.
displayed: 32 814x (31 685 CZ, 1 129 EN) | Comments [6]

VLAN Assignment

The 802.1x protocol (in cooperation with Cisco switch) gives us the ability to dynamically assign ports to VLANs based on authentication data. So we don't have to configure the correct VLAN for each port (but still need to assign all ports to some VLAN and think it through well) and the user gets their VLAN at various locations and computers. However, this generally only works when we use user authentication and not computer authentication.

Configuration in Cisco IOS

If we have the 802.1x protocol correctly configured and want to add support for VLAN assignment from the RADIUS server, we use the following command. This ensures that RADIUS authorization will be used for network services (such as VLAN assignment).

SWITCH(config)#aaa authorization network default group radius

In case the RADIUS server doesn't send a VLAN (or 802.1x is turned off), the port will be assigned to its access VLAN (which is set on the port).

Note: If an incorrect (for example, non-existent) VLAN is sent, the switch will reject it.

If we need to troubleshoot or want to monitor how communication is taking place, we can use the debug command and log certain operations, for example:

SWITCH#debug dot1x events      // logging dot1x events
SWITCH#show logging            // displaying the log

Note: Dot1x cannot be used on trunk ports and dynamic ports.

Configuration on MS IAS (RADIUS) server

Again, I assume that we already have user authentication configured. To send a VLAN, we only need to add three Vendor-specific attributes. We do this in our Remote Access Policy on the Advanced tab.

Vendor-specific atributy na RADIUSu

These are the following attributes:

  • [64] Tunnel-Type = VLAN (type 13)
  • [65] Tunnel-Medium-Type = 802 (type 6)
  • [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

The above procedure ensures that all users/stations (to which this Remote Access Policy applies) will be assigned to the set VLAN. This isn't very dynamic, because in practice we want to assign different users to different VLANs. One possible solution is as follows.

First, we need to have groups created in Active Directory for each VLAN and appropriate users assigned to them. For example, when we have VLANs by department, a group for the department.

On the RADIUS server, we then need to create a Remote Access Policy for each VLAN. Most parameters will (probably) be the same. We need to modify the conditions according to which the policy is assigned to a request. There we set the condition to Windows-Groups and enter the group or groups from Active Directory for which one VLAN will be set. Then we set the VLAN number on the Advanced tab of the policy (as mentioned above).

Policy conditions pro VLAN

Policies are tested in order from top (number 1) to bottom, and when a match occurs, the policy is used. So we can set several policies for different special groups and place a general policy at the end that sets the VLAN for everyone else.

Různé politiky pro různé VLANy

Problem with not renewing address on the client

Sometimes it can happen that the client is assigned to the correct VLAN, but doesn't get an address from the DHCP server. This problem isn't only related to this chapter, it occurs more often with assignment to guest VLAN. It's caused by different timeouts. When a client starts connecting to the network, it sends a DHCP request and at the same time starts the authentication process. If authentication takes longer than the DHCP timeout expires, the client doesn't get the correct address. In the case of Windows XP SP1, the client should renegotiate the address after a short time.

If the client doesn't get an address, executing commands for obtaining an address usually helps. But this is probably only for testing, we should fine-tune production operation to work.

ipconfig /release
ipconfig /renew

More detailed dot1x settings

Automatic re-authentication

By default, this function is turned off, but we can turn it on and then the switch performs a new client authentication after a certain time. There are many situations where this function is useful, for example, when the computer is first verified, so after the user logs in, re-authentication is performed. On the other hand, re-authentication is then performed all the time, which may not be good.

The standard time for re-authentication is 3600 s.

SWITCH(config-if)#dot1x timeout reauth-period 4000  // setting re-authentication time to 4000 s
SWITCH(config-if)#dot1x reauthentication            // turning on re-authentication on the port

We can also trigger re-authentication manually on the switch

SWITCH#dot1x re-authenticate interface gigabitethernet0/1

Reset dot1x port configuration

If we want to reset the dot1x settings of a port to default values, we can use the command:

SWITCH(config-if)#dot1x default

Note: This also turns off dot1x on the port, but doesn't delete the guest and restricted VLAN settings.

Host mode

A port where dot1x is turned on can work in one of two modes:

  • Single host - only one client can be connected to the port.
  • Multiple host - multiple clients can be connected to one port. In this case, authentication of the first client verifies the entire port and others can access.

The default mode is single host, if we want to set multiple

SWITCH(config-if)#dot1x host-mode multi-host

Various timeouts

If the switch can't authenticate the client (for example, a communication error, but also when the client enters the wrong password), it waits for the specified time (default 60 s) and then tries again. Often it's useful to shorten this time.

SWITCH(config-if)#dot1x timeout quiet-period 10

The switch sends a request for authentication data (EAP-request/identity frame) and then waits for a certain time (default 30 s) for a response, if it doesn't receive it, it sends the query frame again. In certain special cases, we can change this interval (Switch-to-Client Retransmission Time).

SWITCH(config-if)#dot1x timeout tx-period 15

Related to this is also the value (Switch-to-Client Frame-Retransmission Number) of how many times (default 2 times) the switch sends a query when no response is received.

SWITCH(config-if)#dot1x max-req 5

In case we use a Guest VLAN and DHCP in this network, it may happen that the authentication process and assignment to the Guest VLAN takes longer than the timeout for obtaining an address from DHCP expires, so in this case it's recommended to reconfigure the quiet-period and tx-period values. The exact value depends on the type of client, but for example:

SWITCH(config-if)#dot1x timeout quiet-period 3
SWITCH(config-if)#dot1x timeout tx-period 15

Accounting

The 802.1x protocol takes care of authentication (confirming that the user is who they claim to be) and authorization (controlling access to the resource; here it's for example assignment to a VLAN). We can supplement the functions with accounting (in other words, logging data), which keeps information about:

  • user authentication
  • logging out
  • link-down
  • re-authentication

Microsoft IAS automatically (if we enable it in the settings) stores information in the log during user authentication. For accounting, a different port is used (default 1646 or 1813) than for authentication and authorization (default 1645 or 1812). Information about accounting is sent to the RADIUS server using attribute and value pairs.

On the switch, we can use a different notation for defining RADIUS, where we specify ports for individual services (otherwise the defaults are used).

SWITCH(config)#radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key 123456

To send accounting information about dot1x to RADIUS, we use:

SWITCH(config)#aaa accounting dot1x default start-stop group radius

Note: default is for the default list (and common situations), group radius means that information will be sent to all defined RADIUS servers.

We can use accounting for a number of data that we want to monitor and store, so here are a few examples from other areas.

Sending information about switch restart

SWITCH(config)#aaa accounting system default start-stop group radius

Sending information about user login to the switch (to exec mode)

SWITCH(config)#aaa accounting exec default start-stop group radius

Sending information about using level 15 commands

SWITCH(config)#aaa accounting commands 15 default start-stop group radius

Restricted VLAN

Often we may want a user/computer that fails authentication (for example, because they don't have an account with us) to still be allowed into some part of the network. By default, the port switches to an unauthorized state and blocks communication. A common example is when a visitor comes and needs to get on the internet. We have created a VLAN for guests and we want to automatically assign them to it. If their OS supports the 802.1x protocol, it will query for authentication after connecting (if they don't have automatic filling set up). And if we have configured a restricted VLAN, then when incorrect data is entered (client not verified), the port will switch to this VLAN.

SWITCH(config-if)#dot1x auth-fail vlan 40            // restricted VLAN is 40
SWITCH(config-if)#dot1x auth-fail max-attempts 1     // number of authentication attempts (1 to 3)

Note: For restricted VLAN, the port must be in single-host mode.

With restricted VLAN as well as guest VLAN we may encounter some problems. Often reducing timeouts helps, as mentioned above. There's also a problem with address assignment from DHCP, which is also described above.

Guest VLAN

A similar situation to restricted VLAN is guest VLAN. We use this for clients that don't support 802.1x (for example, to download a dot1x client). The client is assigned to the guest VLAN if it doesn't support the 802.1x protocol (doesn't send an EAPOL packet or doesn't respond to EAP-request).

SWITCH(config-if)#dot1x guest-vlan 20

In older versions of IOS up to version 12.2(25)SEE, a modified behavior of guest VLAN was used, which was similar to restricted VLAN in effect. First, it was necessary to switch the behavior for the entire switch.

SWITCH(config)#dot1x guest-vlan supplicant

And then the guest VLAN was normally configured for ports and applied to unverified clients.

SWITCH(config-if)#dot1x guest-vlan 5

Check and Debug

Information about 802.1x

SWITCH#show dot1x interface f0/1       // information about 802.1x configuration on the port
SWITCH#show dot1x all                  // information about 802.1x from all ports where it's enabled
SWITCH#show dot1x all details          // complete information about all 802.1x ports
SWITCH#show dot1x all statistics       // statistics about 802.1x usage on the port
SWITCH#show dot1x all summary          // brief information about the status of dot1x ports

Debugging 802.1x

When deploying 802.1x, we might simply encounter various problems and need to see what's happening on the switch. Therefore, it's best to use debugging of the given information.

SWITCH#debug dot1x events              // logging of dot1x events
SWITCH#debug dot1x all                 // logging of everything related to dot1x
SWITCH#show debugging                  // shows what debug is set to
SWITCH#undebug dot1x all               // cancels debug of everything related to 802.1x
SWITCH#show logging                    // displays the log

Information about AAA and RADIUS

SWITCH# show radius statistics         // statistics from RADIUS
SWITCH# show aaa servers               // statistics from AAA and connection to RADIUS
SWITCH# show aaa method-lists all      // list of methods and which ones are used
SWITCH# debug radius accounting        // logging of accounting information sent to radius

Interesting Links

Author:

Related articles:

Cisco IOS

A large series about the operating system of Cisco's active elements. It contains some of the most read articles on this site. The articles describe the configuration of switches and routers, primarily with Cisco IOS. Things about ports, VLANs, STP, ACLs, QoS, etc.

If you want write something about this article use comments.

Comments
  1. [1] bosomt

    tie porty su asi v jednom pripade zle ;)

    Pro accounting se používá jiný port (standardně 1646 či 1813) než pro autentizaci a autorizaci (standardně 1646 či 1813)

    Tuesday, 01.09.2009 14:11 | answer
  2. [2] Samuraj

    respond to [1]bosomt: Díky :-) opraveno

    Tuesday, 01.09.2009 14:31 | answer
  3. [3] tata_tulen

    Ahoj,

    cisco v novych IOSech dost zmenilo CLI prikazy, takze mnoho tech prikazu uz nefunguje, nebo minimalne nejsou v kongtextovy napovede.

    Pamatoval jsem si temer vsechno pomoci 'dot1x' prikazu a ted uz se dobry dve tretiny veci dela pomoci 'authentication' prikazu (bohuzel uz to na sebe 'deprecated" dot1x nepraskne, jak jsem byl zvyklej, a nez jsem nasel config guide pro aktualni IOS, tak to chvili dalo - buh vi proc neni nejnovejsi jako prvni, je tam nejkaka 12.1(xx), nejnovejsi je 12.2(53) - alespon pro 3560 :))

    Tady je nejnovejsi 802.1x guide, kterej jsem na Cisco nasel:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html

    Thursday, 11.03.2010 13:31 | answer
  4. [4] Michal

    Mam dotaz, mam nastaven radius(NAP na w2008) a c2960

    interface FastEthernet0/13

    description Access port VLAN100

    switchport access vlan 100

    switchport mode access

    authentication port-control auto

    dot1x pae authenticator

    spanning-tree portfast

    Vsechno funguje, tak jak by melo, ale neprijde mi normalni, ze pokud se ten PC(wXP) vypne tak se ten C2960 snazi furt posilat pozadavky na identifikaci toho PC.A to zhruba kazdy tri minuty

    3881: 010023: Jul 28 20:22:22.358: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A8F8030000000C0506F20E

    3884: 010044: Jul 28 20:22:22.366: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID C0A8F8030000000C0506F20E

    Tech chyb pokud si zapnu debug na ciscu je vic.Ale prijde mi to, ze se proste stale snazi vsechny radius porty autorizovat.

    Nevite nekdo jak tomu zabranit?Je to normalni chovani, nebo mam nekde neco spatne.

    Jak rikam, vse bezi do doby nez se vypne PC, pak mi to zacne do syslogu generovat ty chyby.

    Diky za jakoukoliv radu

    • comment responded to by [5]MZ
    Wednesday, 28.07.2010 22:44 | answer
  5. [5] MZ

    respond to [4]Michal:

    Ty hlášky "Authentication failed for client (Unknown MAC)" znám. Pokud jsou na portu s vypnutým PC, tak to PC má povolenou funkci vzbuzení přes LAN. Takže PC je vypnuté, ale síťová karta je ve stavu UP a čeká na paket, který by počítač nastartoval. Pro switch se port tváří jako up a posílá žádosti o věření, na ty nepřichází odpověď. Proto port shodí do guest VLANy, protože nemá jak port ověřit.

    Řešením je u všech PC vypnout v BIOSu funkci wake up on LAN. Pak při vypnutí PC se vypne i síťová karta.

    Stejný problém nastává u IP telefonů, pokud za IP telefonem není nic připoeného. Pro switch je port up a switch neví, že k telefonu není nic připojeného, na datové VLANě očekává odpovědi na ověření a port pak dá taky do guest VLANy, protože nic nepřichází.

    Tuesday, 21.01.2014 22:03 | answer
  6. [6] Omega

    Problém s neobnovením adresy na klientovi se da vyresit prikazem:

    ip device tracking probe delay 5

    Pak vse nabiha korektne.

    Thursday, 17.04.2014 10:18 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)