- Preface
- Cisco 900 Series Integrated Services Routers Overview
- Installing the Software
- Basic Router Configuration
- Configuring the Ethernet Switches
- Configuring PPP over Ethernet with NAT
- Configuring a LAN with DHCP and VLANs
- Configuring Identity Features on Layer 3 Interface
- Configuring Security Features
- Configuring VDSL2 and ADSL2/2+
- Configuring 4G Wireless WAN
- Configuring Secure Storage
Configuring Identity Features on Layer 3 Interface
This chapter describes the identify features supported on the Onboard Gigabit Ethernet Layer 3 ports of the Cisco 900 Integrated Services Router (ISR).
This chapter contains the following sections:
- Authentication Methods
- Controlling Port Authorization State
- Flexible Authentication
- Host mode
- Open Access
- Control-Direction (Wake-on-LAN)
- Preauthentication Access Control List
- Downloadable Access Control List
- Filter-ID or Named Access Control List
- IP Device Tracking
Note
Critical authentication, which is also known as Inaccessible Authentication Bypass or AAA Fail Policy, does not support the Identity features on the Onboard Gigabit Ethernet Layer 3 ports.
Authentication Methods
Identity features support various types of authentication methods that are suitable for different kinds of end hosts and users. The two methods that are mainly used are:
Configuring the IEEE 802.1X
This example shows how to configure the IEEE 802.1X on the Cisco 900 ISR:
Router(config)# interface gigabitethernet 0
Router(config-if)# authentication port-control auto
Router(config-if)#dot1x pae authenticator
Use the show authentication sessions command to verify the configuration:
Configuring the MAC Authentication Bypass (MAB)
This example shows how to configure the MAB:
Router(config)# interface gigabitethernet 0
Router(config-if)# authentication port-control auto
Use the show authentication sessions command to verify the configuration:
Controlling Port Authorization State
You can control the port authorization by using the following methods:
- Force-authorized-This is the default setting that disables IEEE 802.1X and causes a port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without IEEE 802.1X-based authentication of the client.
- Force-unauthorized-This causes a port to remain in the unauthorized state, ignoring all the authentication attempts made by a client. A router cannot provide authentication services to clients through the interface.
- Auto-This enables IEEE 802.1X authentication and causes a port to start in the unauthorized state, allowing only Extensible Authentication Protocol over LAN (EAPoL) frames to be sent and received through a port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPoL-start frame is received. The router requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the router with the help of the client's MAC address. If the client is successfully authenticated, the port state changes to authorized, and all the frames from the authenticated client are allowed through the port. If authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Configuring the Controlling Port Authorization State
This example shows how to configure the Controlling Port Authorization state:
Router(config)# interface gigabitethernet 0
Router(config-if)# authentication port-control {auto | force-authorized | force-unauthorized}
Use the show authentication sessions and show dot1x commands to verify the Controlling Port Authorization state:
Flexible Authentication
Flexible Authentication sequencing allows a user to enable all or some authentication methods on a router port and specify the order in which the methods should be executed.
Configuring Flexible Authentication
For more information about configuring of Flexible Authentication, see:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
Host mode
Only single-host mode is supported for the Identity features on the Onboard Gigabit Ethernet Layer 3 ports. In single-host mode, only one client can be connected to the IEEE 802.1X-enabled router port. The router detects the client by sending an EAPol frame when the port link state changes to up state. If a client leaves or is replaced with another client, the router changes the port link state to down, and the port returns to the unauthorized state.
Open Access
The Open Access feature allows clients or devices to gain network access before authentication is performed. This is primarily required for the Preboot eXecution Environment (PXE) scenario where a device is required to access the network before PXE times out and downloads a bootable image, which contains a supplicant.
Configuring Open Access
This example shows how to configure Open Access:
Router(config)# interface gigabitethernet 0
Control-Direction (Wake-on-LAN)
When the router uses IEEE 802.1X authentication with Wake-on-LAN (WoL), the router forwards traffic to the unauthorized IEEE 802.1X ports, including the magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPol packets. The host can receive packets, but cannot send packets to other devices in the network.
Configuring Control-Direction (Wake-on-LAN)
This example shows how to configure Control-Direction (Wake-on-LAN):
Router(config)# interface gigabitethernet 0
Router(config-if)# authentication control-direction both
Use the show authentication sessions and show dot1x commands to verify the default control-direction setting-both:
Router# show authentication sessions interface Gi0
Authorized By: Authentication Server
Common Session ID: 03030303000000000000BA04
Dot1x Info for GigabitEthernet0
-----------------------------------
Use the show authentication sessions and show dot1x commands to verify the authentication control-direction setting-in:
Router# show authentication sessions interface gi0
Authorized By: Authentication Server
Common Session ID: 030303030000000C00310024
Router# show dot1x interface g0
Dot1x Info for GigabitEthernet0
Preauthentication Access Control List
When Open-Access is installed, we recommend that a default port access control list (ACL) is configured on the authenticator. The ACL allows the end point to get a minimum access to the network to get its IP Address and running.
Configuring the Preauthentication Access Control List
For information about preconfiguring ACL, see:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_acls.html#wp1039754
Downloadable Access Control List
A Downloadable ACL is also referred to as dACL. For a dACL to work on a port, the ip device tracking feature should be enabled and the end point connected to the port should have an IP address assigned. After authentication on the port, use the show ip access-list privileged EXEC command to display the downloaded ACL on the port.
Filter-ID or Named Access Control List
Filter-Id also works as a dACL, but the ACL commands are configured on the authenticator. Authentication, authorization, and accounting (AAA) provides the name of the ACL to the authenticator.
IP Device Tracking
The IP Device Tracking feature is required for the dACL and Filter-ID features to function. To program a dACL or Filter-ID in a device, IP address is required. IP device tracking provides the IP address of the corresponding device to the Enterprise Policy Manager (EPM) module to convert the dACLs to each user by adding the IP address to them.
Feedback