- Configuring IEEE 802.1X Port-Based Authentication
- IEEE 802.1X Common Session ID
- IEEE 802.1X Guest VLAN
- IEEE 802.1X RADIUS Accounting
- IEEE 802.1X Voice VLAN
- IEEE 802.1X VLAN Assignment
- IEEE 802.1X Multiple Authentication
- IEEE 802.1X Multidomain Authentication
- IEEE 802.1X Flexible Authentication
- IEEE 802.1X Open Authentication
- IEEE 802.1X Auth Fail VLAN
- Critical Voice VLAN Support
- IEEE 802.1X Wake on LAN Support
- Per-User ACL Support for 802.1X/MAB/Webauth Users
- VLAN RADIUS Attributes in Access Requests
- Finding Feature Information
- Prerequisites for IEEE 802.1X Open Authentication
- Restrictions for IEEE 802.1X Open Authentication
- Information About IEEE 802.1X Open Authentication
- How to Configure IEEE 802.1X Open Authentication
- Configuration Examples for IEEE 802.1X Open Authentication
- Additional References
- Feature Information for IEEE 802.1X Open Authentication
IEEE 802.1X Open Authentication
IEEE 802.1X Open Authentication allows a host to have network access without having to go through IEEE 802.1X authentication. Open authentication is useful in an applications such as the Preboot Execution Environment (PXE), where a device must access the network to download a bootable image containing an authentication client.
- Finding Feature Information
- Prerequisites for IEEE 802.1X Open Authentication
- Restrictions for IEEE 802.1X Open Authentication
- Information About IEEE 802.1X Open Authentication
- How to Configure IEEE 802.1X Open Authentication
- Configuration Examples for IEEE 802.1X Open Authentication
- Additional References
- Feature Information for IEEE 802.1X Open Authentication
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for IEEE 802.1X Open Authentication
IEEE 802.1X Port-Based Network Access Control
You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the Configuring IEEE 802.1X Port-Based Authentication module.
The switch must be connected to a Cisco secure Access Control System (ACS) and RADIUS authentication, authorization, and accounting (AAA) must be configured for Web authentication. If appropriate, you must enable ACL download.
If the authentication order includes the 802.1X port authentication method, you must enable IEEE 802.1X authentication on the switch.
Note | The web authentication method is not supported on Cisco integrated services routers (ISRs) or Integrated Services Routers Generation 2 (ISR G2s) in Cisco IOS Release 15.2(2)T. |
RADIUS and ACLs
You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.
The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the Configuration Guide for CISCO Secure ACS.
Restrictions for IEEE 802.1X Open Authentication
-
This feature does not support standard ACLs on the switch port.
-
If you configure Open Authentication by using the authentication open interface configuration command, any new MAC address detected on the port will be allowed unrestricted Layer 2 access to the network even before any authentication has succeeded. If you use this command, you should use static default ACLs to restrict Layer 3 traffic.
-
The Network Edge Access Topology (NEAT) feature is not supported with IEEE 802.1X Open Authentication.
Information About IEEE 802.1X Open Authentication
IEEE 802.1X Open Authentication and Host Modes
Any of the four host modes (single-host mode, multiple-host mode, multi-domain authentication mode, and multiauthentication mode) may be configured to allow a device to gain network access before authentication. For information about configuring IEEE 802.1X host modes, see the “Configuring the Host Mode” section of the “Configuring IEEE 802.1X Port-Based Authentication” chapter.
Open authentication is enabled by entering the authentication open command after host mode configuration, and acts as an extension to the configured host mode. For example, if open authentication is enabled with single-host mode, then the port will allow only one MAC address. When preauthentication open access is enabled, initial traffic on the port is restricted only by whatever other access restriction, independent of 802.1X, is configured on the port. If no access restriction other than 802.1X is configured on the port, then a client device will have full access on the configured VLAN.
How to Configure IEEE 802.1X Open Authentication
Configuring IEEE 802.1X Open Authentication
Note | To configure open authentication you must have configured one of the four 802.1X host modes. For information about configuring IEEE 802.1X host modes, see the “Configuring the Host Mode” section of the “Configuring IEEE 802.1X Port-Based Authentication” chapter. |
1.
configure
terminal
2.
interface
type
slot/port
3.
access-session
port-control
auto
4. access-session host-mode {single-host | multi-auth | multi-domain | multi-host} [open]
5.
access-session
open
6.
end
DETAILED STEPS
Configuration Examples for IEEE 802.1X Open Authentication
Example: Configuring IEEE 802.1X Open Authentication
The following example shows how to enable the Open Authentication feature on a port that has been configured in single-host mode:
Switch(config)# interface gigabitethernet0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# authentication host-mode single-host Switch(config-if)# authentication open
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
IEEE 802.1X commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
|
Configuring host modes |
“Configuring the Host Mode” section of the “Configuring IEEE 802.1X Port-Based Authentication” chapter. |
Standards and RFCs
Standard/RFC |
Title |
---|---|
IEEE 802.1X |
Port Based Network Access Control |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IEEE 802.1X Open Authentication
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IEEE 802.1X Open Authentication |
Cisco IOS XE 3.2SE Cisco IOS XE 3.3SE Cisco IOS XE Release 3.6E |
IEEE 802.1X Open Authentication allows a host to have network access without having to go through IEEE 802.1X authentication. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. |