The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
IEEE 802.1X port-based authentication is configured on a device to prevent unauthorized devices (supplicants) from gaining access to the network. The device can combine the function of a router, switch, and access point, depending on the fixed configuration or installed modules. The switch functions are provided by either built-in switch ports or a plug-in module with switch ports. This feature supports both access ports and trunk ports.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following tasks must be completed before implementing the IEEE 802.1X Port-Based Authentication feature:
Note | Optimal performance is obtained with a connection that has a maximum of eight hosts per port. |
The following Cisco ISR-G2 routers are supported:
The following cards or modules support switch ports:
Note | Not all Cisco ISR routers support all the components listed. For information about module compatibility with a specific router platform, see Cisco EtherSwitch Modules Comparison. |
To determine whether your router has switch ports that can be configured with the IEEE 802.1X Port-Based Authentication feature, use the show interfaces switchport command.
Note |
Note | A port in dynamic mode can negotiate with its neighbor to become a trunk port. |
In Cisco IOS Release 12.4(11)T, the implementation for IEEE 802.1X authentication changed from the previous releases. When IEEE 802.1X authentication is enabled, information about Port Fast is no longer added to the configuration.
Note | To ensure that information about any IEEE 802.1x-related commands that is entered on a port is automaticallly added to the running configuration to address any backward compatibility issues, use the dot1x pae authenticator command. |
With IEEE 802.1X authentication, the devices in the network have specific roles as shown in the figure below.
Note | To resolve Windows XP network connectivity and IEEE 802.1X authentication issues, read the Microsoft Knowledge Base article at this URL: http://support.microsoft.com/kb/q303597/. |
When the authenticator receives EAPOL frames and relays them to the authentication server, the EAPOL is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP frames are not modified during encapsulation, and the authentication server must support EAP within the native frame format. When the authenticator receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
During IEEE 802.1X authentication, the router or the supplicant can initiate authentication. If you enable authentication on a port by using the authentication port-control auto interface configuration command, the router initiates authentication when the link state changes from down to up or periodically if the port remains up and unauthenticated. The router sends an EAP-request/identity frame to the supplicant to request its identity. Upon receipt of the frame, the supplicant responds with an EAP-response/identity frame.
Note | Effective with Cisco IOS Release 12.2(33)SXI, the authentication port-control command replaces the dot1xport-control command. |
However, if during bootup the supplicant does not receive an EAP-request/identity frame from the router, the supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the router to request the supplicant’s identity.
Note | If IEEE 802.1X authentication is not enabled or supported on the network access device, any EAPOL frames from the supplicant are dropped. If the supplicant does not receive an EAP-request/identity frame after three attempts to start authentication, the supplicant sends frames as if the port is in the authorized state. A port in the authorized state effectively means that the supplicant has been successfully authenticated. For more information, see the Ports in Authorized and Unauthorized States module. |
When the supplicant supplies its identity, the router begins its role as the intermediary, passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails. If the authentication succeeds, the router port becomes authorized. If the authentication fails, authentication can be retried, the port might be assigned to a VLAN that provides limited services, or network access is not granted. For more information, see the Ports in Authorized and Unauthorized States module.
The specific exchange of EAP frames depends on the authentication method being used. The figure below shows a message exchange initiated by the supplicant using the One-Time-Password (OTP) authentication method with a RADIUS server.
To configure IEEE 802.1X port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.
The AAA process begins with authentication. When IEEE 802.1X port-based authentication is enabled and the device attempting to authenticate is IEEE 802.1x-capable (meaning it supports the supplicant functionality), this event occurs:
The router reauthenticates a supplicant when this situation occurs:
You can configure the reauthentication timer to use a router-specific value or to be based on values from the RADIUS server.
After IEEE 802.1X authentication using a RADIUS server is configured, the router uses timers based on the Session-Timeout RADIUS attribute (Attribute [27]) and the Termination-Action RADIUS attribute (Attribute [29]).
The Session-Timeout RADIUS attribute (Attribute [27]) specifies the time after which reauthentication occurs.
The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during reauthentication. The actions can be Initialize or ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT ), the IEEE 802.1x session ends, and connectivity is lost during reauthentication. When the ReAuthenticate action is set (the attribute value is RADIUS-Request), the session is not affected during reauthentication.
You manually reauthenticate the supplicant by entering the dot1x re-authenticate interface interface-name interface-number privileged EXEC command.
You can configure an IEEE 802.1X port for single-host or for multihost mode. In single-host mode (see the figure IEEE 802.1X Device Roles in the Device Roles section of this module), only one supplicant can be authenticated by the IEEE 802.1X-enabled switch port. The router detects the supplicant by sending an EAPOL frame when the port link state changes to the up state. If a supplicant leaves or is replaced with another supplicant, the router changes the port link state to down, and the port returns to the unauthorized state.
In multihost mode, you can attach multiple hosts to a single IEEE 802.1X-enabled port. In this mode, only one of the attached supplicants must be authorized for all supplicants to be granted network access. If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the router denies network access to all of the attached supplicants.
Note | Cisco 870 series platforms do not support single-host mode. |
During IEEE 802.1X authentication, depending on the port state, the router can grant a supplicant access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress traffic except for IEEE 802.1X authentication, Cisco Discovery Protocol (CDP), and STP packets. When a supplicant is successfully authenticated, the port changes to the authorized state, allowing all traffic for the supplicant to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and IEEE 802.1X protocol packets before the supplicant is successfully authenticated.
If a client that does not support IEEE 802.1X authentication connects to an unauthorized IEEE 802.1X port, then the router requests the client’s identity. In this situation, if the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.
In contrast, when an IEEE 802.1X-enabled supplicant connects to a port that is not running the IEEE 802.1X standard, the supplicant initiates the authentication process by sending the EAPOL-start frame. When no response is received, the supplicant sends the request for a fixed number of times. Because no response is received, the supplicant begins sending frames as if the port is in the authorized state.
If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated supplicant are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the router can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a supplicant logs off, it sends an EAPOL-logoff message, causing the router port to change to the unauthorized state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
Use the IEEE 802.1X—Conditional Logging feature for troubleshooting. When the Conditional Logging feature is enabled, the router generates debugging messages for packets entering or leaving the router on a specified interface; the router will not generate debugging output for packets entering or leaving through a different interface. You can specify the interfaces explicitly. For example, you may want to see only debugging messages for one interface or subinterface. You can also turn on debugging for all interfaces that meet the configured condition. This feature is useful on dial access servers, which have a large number of ports.
Normally, the router will generate debugging messages for every interface, resulting in a large number of messages. The large number of messages consumes system resources, and can affect your ability to find the specific information you need. By limiting the number of debugging messages, you can receive messages related to only the ports you want to troubleshoot.
For more information on conditional logging and enabling conditionally triggered debugging, see the “Enabling Conditionally Triggered Debugging” section of the “Troubleshooting and Fault Management” chapter in the Basic System Management Configuration Guide.
Cisco IOS Release 12.4(11)T provides support for the following MIBs that provide SNMP access to IEEE 802.1X feature components:
The IEEE8021-PAE-MIB supports reporting of the following information:
The Cisco-PAE-MIB provides SNMP support for the logging and reporting of events, including:
1.
enable
2.
configure
terminal
3.
aaa new-model
4.
aaa
authentication dot1x {default |
listname}
method1 [method2...]
5.
dot1x
system-auth-control
6.
identity profile
default
7.
interface
type
slot/port
8.
authentication port-control {auto |
force-authorized |
force-unauthorized}
9.
dot1x pae [supplicant |
authenticator |
both]
10.
end
11.
show
dot1x
Note | This section describes IEEE 802.1X security features available only on the switch ports. |
1.
enable
2.
configure terminal
3.
radius-server vsa send authentication
4.
interface
type number
5.
authentication host-mode {multi-auth |
multi-domain |
multi-host |
single-host} [open]
6.
switchport voice vlan
vlan-id
7.
end
8.
show authentication interface
type number
9.
copy running-config startup-config
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Device> enable |
Enables privileged EXEC mode. |
Step 2 |
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
Step 3 |
radius-server vsa send authentication
Example: Device(config)# radius-server vsa send authentication |
Configures the Network Access Server (NAS) to recognize and use vendor-specific attributes. |
Step 4 |
interface
type number
Example: Device(config)# interface fastethernet 2/1 |
Specifies the port to which multiple hosts are indirectly attached, and enters interface configuration mode. |
Step 5 |
authentication host-mode {multi-auth |
multi-domain |
multi-host |
single-host} [open]
Example: Device(config-if)# authentication host-mode single-host fastethernet 2/1 | Allows a single host (client) or multiple hosts on the 802.1X-authorized port.
|
Step 6 |
switchport voice vlan
vlan-id
Example: Device(config-if)# switchport voice vlan 2 |
(Optional) Configures the voice VLAN. |
Step 7 |
end
Example: Device(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
Step 8 |
show authentication interface
type number
Example: Device# show authentication interface |
Displays your entries. |
Step 9 |
copy running-config startup-config
Example: Device# copy running-config startup-config |
Saves your entries in the configuration file. |
1.
enable
2.
configure
terminal
3.
snmp-server
enable
traps
dot1x
notification-type
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
snmp-server
enable
traps
dot1x
notification-type
Example: Router(config)# snmp-server enable traps dot1x no-guest-vlan |
Enables SNMP logging and reporting when no Guest VLAN is configured or available. |
Note | Effective with Cisco IOS Release 12.2(33)SXI, the authentication port-control command replaces the dot1xport-control command. |
Note | Whenever you configure any IEEE 802.1X parameter on a port, a dot1x authenticator is automatically created on the port. As a result, the dot1x pae authenticator command appears in the configuration to ensure that IEEE 802.1X authentication still works without manual intervention on legacy configurations. The appearance of the IEEE 802.1X information in the configuration is likely to change in future releases. |
Note | In this example the Ethernet interface is configured as an access port by using the switchport mode access command in interface configuration mode. The Ethernet interface can also be configured as a trunk port using the switchport mode trunk command in interface configuration mode. |
Device> enable Device# configure terminal Device(config)# dot1x system-auth-control Device(config)# aaa new-model Device(config)# aaa authentication dot1x default group radius Device(config)# interface fastethernet2/1 Device(config-if)# switchport mode access Device(config-if)# authentication port-control auto Device(config-if)# dot1x pae authenticator Device(config-if)# end Device# show dot1x interface fastethernet7/1 details Dot1x Info for FastEthernet7/1 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Dot1x Authenticator Client List ------------------------------- Supplicant = 1000.0000.2e00 Auth SM State = AUTHENTICATED Auth BEND SM Stat = IDLE Port Status = AUTHORIZED Authentication Method = Dot1x Authorized By = Authentication Server Vlan Policy = N/A
The following example shows how to enable 802.1X authentication and to allow multiple hosts:
Device> enable Device# configure terminal Device(config)# interface gigabitethernet 2/0/1 Device(config-if)# authentication port-control auto Device(config-if)# authentication host-mode multihost Device(config-if)# end
The following example displays show dot1x all command output:
Device# show dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Dot1x Info for FastEthernet1 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Router-871#
The following example displays show dot1x summary command output:
Device# show dot1x all summary Interface PAE Client Status ------------------------------------------------------------------------------------------ Fa1 AUTH 000d.bcef.bfdc AUTHORIZED
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Standard/RFC | Title |
---|---|
IEEE 802.1X |
Port Based Network Access Control |
RFC 3580 |
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines |
MIB |
MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
CDP Enhancement —Host Presence TLV |
Cisco IOS 15.2(2)T Cisco IOS 15.2(1)E |
This features allows you to ensure that only one client can be connected to the 802.1X-enabled port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. |
IEEE 802.1X Authenticator |
Cisco IOS 12.3(4)T Cisco IOS 15.2(2)T Cisco IOS 15.3(1)S Cisco IOS 15.2(1)E |
This feature was introduced to prevent unauthorized devices (supplicants) from gaining access to the network. The following commands were introduced or modified: aaa accounting, dot1x guest-vlan, snmp-server enable traps. |
IEEE 802.1X-Conditional Logging |
Cisco IOS 15.2(2)T Cisco IOS 15.2(1)E |
The IEEE 802.1X-Conditional Logging feature is used for troubleshooting interfaces. |
IEEE 802.1X MIB Support |
Cisco IOS 12.4(11)T Cisco IOS 15.2(1)E |
This feature provides support for the following MIBs: |
IEEE 802.1X Support for Trunk Ports |
Cisco IOS 15.2(1)E |
The IEEE 802.1X Support for Trunk Ports feature is used to configure Ethernet interfaces as trunk ports. |