IEEE 802.1X-Flexible Authentication

Last Updated: January 17, 2012

The IEEE 802.1X--Flexible Authentication feature provides a means of assigning authentication methods to ports and specifying the order in which the methods are executed when an authentication attempt fails. Using this feature, you can control which ports use which authentication methods, and you can control the failover sequencing of methods on those ports.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for IEEE 802.1X--Flexible Authentication

IEEE 802.1X-Port-Based Network Access Control

You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the Configuring IEEE 802.1X Port-Based Authentication module.

Before you can use the IEEE 802.1x-Flexible Authentication feature, the switch must be connected to a Cisco secure access control server (ACS) and RADIUS authentication, authorization, and accounting (AAA) must be configured for web authentication. If appropriate, you must enable access control list (ACL) download.

If the authentication order includes the 802.1x port authentication method, you must enable IEEE 802.1x authentication on the switch.

If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.

You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply ACLs. For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.

The switch must have a RADIUS configuration and be connected to the Cisco secure ACS. For more information, see the Configuration Guide for Cisco Secure ACS.

Restrictions for IEEE 802.1X--Flexible Authentication

  • The web authentication method cannot fail over to the 802.1X or the MAB authentication method. When you configure authentication order, no other authentication method can follow web authentication.
  • The web authentication method is not supported on Cisco integrated services routers (ISRs) or Integrated Services Routers Generation 2 (ISR-G2s) in Cisco IOS Release 15.2(2)T.

Information About IEEE 802.1X - Flexible Authentication

Overview of the Cisco IOS Auth Manager

The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies, regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and, as such, serves as a session manager.

The possible states for Auth Manager sessions are:

  • Authc Success--The authentication method has run successfully. This is an intermediate state.
  • Authc Failed--The authentication method has failed. This is an intermediate state.
  • Authz Success--All features have been successfully applied for this session. This is a terminal state.
  • Authz Failed--At least one feature has failed to be applied for this session. This is a terminal state.
  • Idle--In the idle state, the authentication session has been initialized, but no methods have yet been run. This is an intermediate state.
  • No methods--No method provided a result for this session. This is a terminal state.
  • Running--A method is currently running. This is an intermediate state.

Authentication Methods

The IEEE 802.1X-Flexible Authentication feature supports three authentication methods:

  • dot1X--IEEE 802.1X authentication is a Layer 2 authentication method.
  • mab --MAC-Authentication Bypass is a Layer 2 authentication method .
  • webauth--Web authentication is a Layer 3 authentication method .

Host Mode Authentication

The IEEE 802.1X-Flexible Authentication feature supports two new host modes:

  • multi-auth--Multiauthentication allows one authentication on a voice VLAN and multiple authentications on the data VLAN.
  • multi-domain --Multidomain authentication allows two authentications: one on the voice VLAN and one of the data VLAN.

Authentication Order and Authentication Priority

The IEEE 802.1X-Flexible Authentication feature enables authentication order and authentication priority. The authentication order command sets the default authentication priority. You can use the authentication priority command to override the default authentication priority. For example, you might specify an authentication order of MAB and 802.1X. However, after authorization, you might not want to ignore subsequent 802.1X handshakes. In this case, you can give the 802.1X authentication method a higher priority than the MAB method.

How to Configure IEEE 802.1X - Flexible Authentication

Configuring Authentication Order

Authentication order is configured on individual ports to control which ports use which authentication methods. Perform the steps described in this section to configure authentication order.
SUMMARY STEPS

1.    enable

2.    configure terminal

3.   dot1x system-auth-control

4.   interface type slot/port

5.   switchport

6.   switchportmodeaccess

7.   switchportaccessvlan vlan-id

8.   mab[eap]

9.   authentication port-control{auto|force-authorised|fort unauthorised}

10.   authentication fallbackprofile

11.   authentication order{dot1x[mab|webauth][webauth] |mab[dot1x|webauth] [webauth] |webauth}

12.   dot1x paeauthenticator

13.   end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Switch> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted .
 
Step 2
configure terminal


Example:

Switch# configure terminal

 

Enters global configuration mode.

 
Step 3
dot1x system-auth-control


Example:

Switch(config)# dot1x system-auth-control

 

(Optional) Enables IEEE 802.1x authentication globally on the switch.

Enable IEEE 802.1x authentication if the authentication order includes the dot1x authentication method.

 
Step 4
interface type slot/port


Example:

Switch(config)# interface FastEthernet2/1

 
Enters interface configuation mode.  
Step 5
switchport


Example:

Switch(config-if)# switchport

 
Places interface in Layer2-switched mode.  
Step 6
switchportmodeaccess


Example:

Switch(config-if)# switchport mode access

 
Sets a nontrunking, nontagged single VLAN Layer 2 interface.  
Step 7
switchportaccessvlan vlan-id


Example:

Switch(config-if)# switchport access vlan 2

 
Sets the VLAN for the port.  
Step 8
mab[eap]


Example:

Switch(config-if)# mab

 

(Optional) Enables MAB.

Enable MAB if the authentication order includes the mab keyword (Step 11).

 
Step 9
authentication port-control{auto|force-authorised|fort unauthorised}


Example:

Switch(config-if)# authentication port-control auto

 

Configures the authorization state of the port.

 
Step 10
authentication fallbackprofile


Example:

Switch(config-if)# authentication fallback web-profile

 

Configures the authorization state of the port.

(Optional) Enables web authentication.

Enable web authentication if the authentication order includes the webauth keyword (Step 11).

 
Step 11
authentication order{dot1x[mab|webauth][webauth] |mab[dot1x|webauth] [webauth] |webauth}


Example:

Switch(config-if)# authentication order mab dot1x webauth

 

Configures the authentication order.

 
Step 12
dot1x paeauthenticator


Example:

Switch(config-if)# dot1x pae authenticator

 

Enables the port to respond to messages meant for an IEEE 802.1x authenticator.

 
Step 13
end


Example:

Switch(config-if)# end

 

Returns to global configuration mode.

 

Configuring Authentication Priority

Authentication priority is configured to control the fail over sequencing of methods on individual ports. Perform the steps described in this section to configure authentication priority.
SUMMARY STEPS

1.    enable

2.    configure terminal

3.   interface typeslot/ port

4.   authentication priority {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth}

5.   end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Switch> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted .
 
Step 2
configure terminal


Example:

Switch# configure terminal

 

Enters global configuration mode.

 
Step 3
interface typeslot/ port


Example:

Switch(config)# interface FastEthernet2/1

 

Enters interface configuration mode.

 
Step 4
authentication priority {dot1x [mab | webauth] [webauth] | mab [dot1x | webauth] [webauth] | webauth}


Example:

Switch(config-if)# authentication priority dot1x mab webauth

 

Configures authentication priority.

 
Step 5
end


Example:

Switch(config-if)# end

 

Returns to global configuration mode.

 

Configuration Examples for IEEE 802.1X- Flexible Authentication

Example Configuring IEEE 802.1X--Flexible Authentication

The following example configures the port in multiple authentication host mode with the order of authentication to be 802.1X first, then MAB and, finally, web authentication: 

enable
configure terminal
dot1x system-auth-control

aaa new-model
aaa authentication login default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa session-id common 
ip http server 

ip admission name webauth-rule proxy http
fallback profile webauth-profile
 ip access-group webauthlist in
 ip admission webauth-rule

interface GigabitEthernet2/1
 switchport
 switchport mode access
 switchport access vlan 125
 switchport voice vlan 127
 mab
 authentication port-control auto
 authentication fallback webauth-profile
 authentication host-mode multi-auth 
 authentication order dot1x mab webauth
 dot1x pae authenticator

Additional References

Related Documents

Related Topic

Document Title

Authentication commands

Cisco IOS Security Command Reference Commands A to C

IEEE 802.1x commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

  • Catalyst 4500 Series Switch Cisco IOS Command Reference, Release 12.2(25)SGA
  • Catalyst 3750 Switch Command Reference, Cisco IOS Release 12.2(25)SEE

IPSec

  • IPsec Management Configuration Guide, Cisco IOS Release 15.2MT
  • Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15.2MT
  • Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15.2MT

RADIUS

RADIUS Configuration Guide, Cisco IOS Release 15.2MT

Standalone MAB support

Standalone MAB Support

Port-based network access control

"Configuring IEEE 802.1X Port-Based Authentication"Configuring IEEE 802.1X Port-Based Authentication module. module.

Standards and RFCs

Standard/RFC

Title

IEEE 802.1X protocol

--

RFC 3580

IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)

MIBs

MIB

MIBs Link

  • CISCO-AUTH-FRAMEWORK-MIB
  • CISCO-MAC-AUTH-BYPASS-MIB
  • CISCO-PAE-MIB
  • IEEE8021-PAE-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IEEE 802.1x--FlexibleAuthentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for IEEE 802.1X--Flexible Authentication
Feature Name Releases Feature Information

IEEE 8021.X--Flexible Authentication

12.2(33)SXI

15.2(2)T

This feature provides a means of configuring ports with one or more authentication methods and specifying the order in which those authentication methods are attempted.

The following commands were introduced or modified: authentication fallback, authentication hostmode, authentication order, authentication port-controlauthentication priority, authentication timer restart, debug authentication, mab, show authentication interface, show authentication registrations, showauthenticationsessions, showmab

The following commands were removed or made obsolete:

dot1x fallback, dot1xhost-mode, dot1xport control.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.