IEEE 802.1X Multiple Authentication
Download this chapter
IEEE 802.1X Multiple AuthenticationIEEE 802.1X Multiple Authentication
 Feedback

Contents

IEEE 802.1X Multiple Authentication

Last Updated: July 17, 2012

The IEEE 802.1X Multiple Authentication feature provides a means of authenticating multiple hosts on a single port. With both 802.1X and non-802.1X devices, multiple hosts can be authenticated using different methods. Each host is individually authenticated before it can gain access to the network resources.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for IEEE 802.1X Multiple Authentication

IEEE 802.1X Port-Based Network Access Control

You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform.

Before you can use the IEEE 802.1X Multiple Authentication feature, the switch must be connected to a Cisco secure Access Control Server and RADIUS authentication, authorization, and accounting (AAA) must be configured for web authentication. ACL download must be enabled.

If the authentication order includes the 802.1X port authentication method, you must enable IEEE 802.1X authentication on the switch.

If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.

You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).

The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS).

Restrictions for IEEE 802.1X Multiple Authentication

  • Only one voice VLAN is supported on a multiple authentication port.
  • You cannot configure a guest VLAN or an authentication failed VLAN in multiple authentication mode.
  • When a port is in multiple authentication mode, the guest VLAN and authentication failed VLAN features do not activate.
  • In multiple authentication mode, only multicast EAPOL packets are accepted by the port.
  • The web authentication method is not supported on Cisco integrated services routers (ISRs) or Integrated Services Routers Generation 2 (ISR-G2s) in Cisco IOS 15.2(2)T.
  • Inactivity aging is not supported on Cisco ISRs or ISR-G2s in multiple authentication mode.
  • This feature does not support standard ACLs on the switch port.
  • Configuring the same VLAN ID for both access and voice traffic (using the switchport access vlan vlan-id and the switchport voice vlan vlan-id commands) will fail if authentication has already been configured on the port.
  • Configuring authentication on a port on which you have already configured switchport access vlan vlan-id and switchport voice vlan vlan-id will fail if the access VLAN and voice VLAN have been configured with the same VLAN ID.

Information About IEEE 802.1X Multiple Authentication

Guidelines for Configuring IEEE 802.1X Multiple Authentication

Assign a RADIUS-server-supplied VLAN in multiple authentication mode, under these conditions:

  • The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  • Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
  • A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
  • The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
  • Only one voice VLAN assignment is supported on a multi-auth port .
  • After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
  • You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
  • The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.

How to Configure IEEE 802.1X Multiple Authentication

Configuring IEEE 802.1X Multiple Authentication

Beginning in privileged EXEC mode, follow these steps to allow one client on the voice VLAN and multiple authenticated clients on the data VLAN, where each host is individually authenticated.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    radius-server vsa send authentication

4.    interface interface-id

5.    authentication host-mode [multi-auth | multi-domain | multi-host | single-host] interface-id

6.    end

7.    show authentication interface interface-id

8.    copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted .
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
radius-server vsa send authentication


Example:

Router(config)# radius-server vsa send authentication

 

Configures the Network Access Server (NAS) to recognize and use vendor-specific attributes.

 
Step 4
interface interface-id


Example:

Router(config)# interface fastethernet 2/1

 

Specifies the port to which multiple hosts are indirectly attached, and enters interface configuration mode.

 
Step 5
authentication host-mode [multi-auth | multi-domain | multi-host | single-host] interface-id


Example:

Router(config-if)# authentication host-mode multi-auth

 

Allows one client on the voice VLAN and multiple authenticated clients on the data VLAN.

  • Each host is individually authenticated.
 
Step 6
end


Example:

Router(config-if)# end

 

Returns to privileged EXEC mode.

 
Step 7
show authentication interface interface-id


Example:

Router# show authentication interface g1/0/23

 

Verifies the entries.

 
Step 8
copy running-config startup-config


Example:

Router# copy running-config startup-config

 

Saves entries in the configuration file.

 

Configuration Examples for IEEE 802.1X Multiple Authentication

Example: Configuring IEEE 802.1X Multiple Authentication

aaa new-model
!
!
aaa authentication login CON local
aaa authentication login VTY local
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa authorization auth-proxy default group radius 
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa session-id common
!
dot1x system-auth-control
!

interface FastEthernet1
 switchport access vlan 20
 switchport voice vlan 117
 no ip address
 authentication host-mode multi-auth
 authentication order mab
 authentication port-control auto
 mab
 dot1x pae authenticator
end

Additional References

Related Documents

Related Topic

Document Title

Authentication commands

Cisco IOS Security Command Reference Commands A to C

IEEE 802.1x commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

  • Catalyst 4500 Series Switch Command Reference, Cisco IOS Release 12.2(25)SGA
  • Catalyst 3750 Switch Command Reference, Cisco IOS Release 12.2(25)SEE

IPSec

  • IPsec Management Configuration Guide, Cisco IOS Release 15.2MT
  • Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15.2MT
  • Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15.2MT

RADIUS

RADIUS Configuration Guide, Cisco IOS Release 15.2MT

Standalone MAB Support

Standalone MAB Support

Standards

Standard

Title

IEEE 802.1X protocol

--

MIBs

MIB

MIBs Link

CISCO-AUTH-FRAMEWORK-MIB

CISCO-MAC-AUTH-BYPASS-MIB

CISCO-PAE-MIB

IEEE8021-PAE-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC-3580

IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IEEE 802.1X Multiple Authentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for IEEE 802.1X Multiple Authentication
Feature Name Releases Feature Information

IEEE 8021.X Multiple Authentication

15.2(2)T

The IEEE 802.1X Multiple Authentication feature provides a means of authenticating multiple hosts on a single port. With both 802.1X and non-802.1X devices, multiple hosts can be authenticated using different methods. Each host is individually authenticated before it can gain access to the network resources.

The following commands were introduced or modified: authentication host-mode.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.